Apache Conf Privilege Escalation

Investigation

ls -al /etc/apache2

-rwxrwxrwx  1 root root  7094 NOV 7  2023 apache2.conf

If we can modify the apache configuration file, we can update the web owner (www-data) to arbitrary user.

Exploitation

1. Update Apache.Conf

First modify “apache.conf” file to change the web user with new one.

# These need to be set in /etc/apache2/envvars
User www-data
Group www-data

2. Insert Reverse Shell Script

In the web directory (e.g. /var/www/html), create the script to reverse shell.
Assume the website uses PHP, so we can create “shell.php” in the web root and insert PHP reverse shell script.

3. Restart Apache Server

4. Get a Shell

We need to start a listener in local terminal.

nc -lvnp 1234

Then access to the web page e.g. https://example.com/shell.php.

We should get a shell as the desired user.