Privilege Escalation

Ansible Playbook Privilege Escalation

Apache Conf Privilege Escalation

Bash eq Privilege Escalation

Buffer Overflow Privilege Escalation

Chrome Remote Debugger Pentesting

Doas Privilege Escalation

FireFox Credentials Dumping

Ghidra Debug Mode RCE

Gnuplot Privilege Escalation

LXC/LXD (Linux Container/Daemon) Privilege Escalation

Linux Privilege Escalation

OpenSSL Privilege Escalation

Pip Download Code Execution

PolKit Privilege Escalation

Python Eval Code Execution

Python Jails Escape

Python Privilege Escalation

Python Yaml Privilege Escalation

Ruby Privilege Escalation

Rust Privilege Escalation

SSSD Privilege Escalation

Shared Library Hijacking

Snapd Privilege Escalation

Sudo ClamAV Privilege Escalation

Sudo Dstat Privilege Escalation

Sudo Exiftool Privilege Escalation

Sudo Fail2ban Privilege Escalation

Sudo Git Privilege Escalation

Sudo Java Privilege Escalation

Sudo OpenVPN Privilege Escalation

Sudo Path Traversal Privilege Escalation

Sudo Privilege Escalation

Sudo Privilege Escalation by Overriding Shared Library

Sudo Reboot Privilege Escalation

Sudo Screen Privilege Escalation

Sudo Service Privilege Escalation

Sudo Shutdown, Poweroff Privilege Escalation

Sudo Systemctl Privilege Escalation

Sudo Tee Privilege Escalation

Sudo Umount Privilege Escalation

Sudo Vim Privilege Escalation

Sudo Wall Privilege Escalation

Sudo Wget Privilege Escalation

Sudoedit Privilege Escalation

Tar Wildcard Injection PrivEsc

Update-Motd Privilege Escalation

irb (Interactive Ruby Shell) Privilege Escalation

Apache Conf Privilege Escalation

Last modified: 2023-03-07

Investigation

ls -al /etc/apache2

-rwxrwxrwx  1 root root  7094 NOV 7  2023 apache2.conf

If we can modify the apache configuration file, we can update the web owner (www-data) to arbitrary user.

Exploitation

1. Update Apache.Conf

First modify “apache.conf” file to change the web user with new one.

# These need to be set in /etc/apache2/envvars
User www-data
Group www-data

2. Insert Reverse Shell Script

In the web directory (e.g. /var/www/html), create the script to reverse shell.
Assume the website uses PHP, so we can create “shell.php” in the web root and insert PHP reverse shell script.

3. Restart Apache Server

4. Get a Shell

We need to start a listener in local terminal.

nc -lvnp 1234

Then access to the web page e.g. https://example.com/shell.php.

We should get a shell as the desired user.

Privilege Escalation

Post Exploitation

Backup

Container

Archive

Attack

Protocol

Management

Apache Conf Privilege Escalation

Investigation

Exploitation

1. Update Apache.Conf

2. Insert Reverse Shell Script

3. Restart Apache Server

4. Get a Shell

ON THIS PAGE