Apache Conf Privilege Escalation

Investigation

ls -al /etc/apache2

-rwxrwxrwx  1 root root  7094 NOV 7  2023 apache2.conf
Copied!

If we can modify the apache configuration file, we can update the web owner (www-data) to arbitrary user.

Exploitation

1. Update Apache.Conf

First modify “apache.conf” file to change the web user with new one.

# These need to be set in /etc/apache2/envvars
User www-data
Group www-data
Copied!

2. Insert Reverse Shell Script

In the web directory (e.g. /var/www/html), create the script to reverse shell. Assume the website uses PHP, so we can create “shell.php” in the web root and insert PHP reverse shell script.

3. Restart Apache Server

4. Get a Shell

We need to start a listener in local terminal.

nc -lvnp 1234
Copied!

Then access to the web page e.g. https://example.com/shell.php.

We should get a shell as the desired user.

PreviousAnsible Playbook Privilege Escalation NextBash eq Privilege Escalation

Last updated 1 year ago