Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

Apache Conf Privilege Escalation

Investigation

ls -al /etc/apache2

-rwxrwxrwx  1 root root  7094 NOV 7  2023 apache2.conf
Copied!

If we can modify the apache configuration file, we can update the web owner (www-data) to arbitrary user.

Exploitation

1. Update Apache.Conf

First modify “apache.conf” file to change the web user with new one.

# These need to be set in /etc/apache2/envvars
User www-data
Group www-data
Copied!

2. Insert Reverse Shell Script

In the web directory (e.g. /var/www/html), create the script to reverse shell. Assume the website uses PHP, so we can create “shell.php” in the web root and insert PHP reverse shell script.

3. Restart Apache Server

4. Get a Shell

We need to start a listener in local terminal.

nc -lvnp 1234
Copied!

Then access to the web page e.g. https://example.com/shell.php.

We should get a shell as the desired user.

PreviousAnsible Playbook Privilege EscalationNextBash eq Privilege Escalation

Last updated 1 year ago

  • Investigation
  • Exploitation
Page cover image