Page cover image

Apache Conf Privilege Escalation

ls -al /etc/apache2

-rwxrwxrwx  1 root root  7094 NOV 7  2023 apache2.conf
Copied!

If we can modify the apache configuration file, we can update the web owner (www-data) to arbitrary user.

First modify “apache.conf” file to change the web user with new one.

# These need to be set in /etc/apache2/envvars
User www-data
Group www-data
Copied!

In the web directory (e.g. /var/www/html), create the script to reverse shell. Assume the website uses PHP, so we can create “shell.php” in the web root and insert PHP reverse shell script.

We need to start a listener in local terminal.

nc -lvnp 1234
Copied!

Then access to the web page e.g. https://example.com/shell.php.

We should get a shell as the desired user.

Last updated