2

I am attempting to solve a CTF challenge where I am logged in as a member of the www-data group and the apache2 service is misconfigured and can be run as sudo without a password. What I am attempting to do is access a token stored at /root/token.txt. From what I can gather I need to get apache2 to run a shell script with it's elevated privileges on start-up. The file /etc/apache2/conf-enabled/serve-cgi-bin.conf reads:

<IfModule mod_alias.c>

    <IfModule mod_cgi.c>
        Define ENABLE_USR_LIB_CGI_BIN
    </IfModule>

    <IfModule mod_cgid.c>
        Define ENABLE_USR_LIB_CGI_BIN
    </IfModule>

    <IfDefine ENABLE_USR_LIB_CGI_BIN>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Require all granted
        </Directory>
    </IfDefine>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

So I tried to write shell script to /usr/lib/cgi-bin but I didn't have permission, I also don't have permission to edit the serve-cgi-bin.conf file so I can't point the cgi-bin at a different directory.

Improve this question
6
  • Which command can you run with sudo? One alternative would be to write your own apache config, with paths that you have write access to...
    – vidarlo
    Commented Nov 17, 2020 at 17:58
  • @vidarlo The way the CTF question is asked it has multiple parts, one part asks "What service can be run as sudo without a password?" To which the correct answer is apache2, however, sudo apache2 still asks for a password and apache2 returns the error: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot. How would I change the config to be the one that I have written?
    – retsek680
    Commented Nov 17, 2020 at 18:21
  • You would have to look into what command you can run, and how to pass parameters to that command. man apache2 will likely give you hints.
    – vidarlo
    Commented Nov 17, 2020 at 18:57
  • @vidarlo I copied the entirety of /etc/apache2/ into a directory I have write access to in the hopes of supplying the new apache2.conf with the -f flag, and after changing my by running source envvars I now recieve the error make_sock: could not bind to address 0.0.0.0:80. So I changed the listen port in ports.conf to 81 but I am still recieving the same error about attempting to bind to port 80.
    – retsek680
    Commented Nov 17, 2020 at 20:02
  • You'll have to learn the tool you're using. In this case some *nix (probably Linux) and Apache.
    – vidarlo
    Commented Nov 17, 2020 at 20:10

1 Answer 1

Reset to default
1

The if conditional toward the bottom implements +ExecCGI and +SymLinksIfOwnerMatch which should be able to be used with `find . -exec /bin/sh | (Insert Shell arguments for SymLink Cross-Compiler in C to pipe mod_cgi.c to SymLink and Cross Compile a Rootkit or Linux Kernel Module in a single frame cgi data layer injected into Memory and Processed GPU only)

The find . -exec implements system level privileges to run the execution cycle of a compiled binary application in C and if you thread it in a GPGPU you should be able to patch a Rootkit out of the characters in their index locations after reading a file stream and coding a syntactic lexicon as a dictionary key: value array and create a link list compilation and kernel build before using the system privileges for the /usr/bin/cgi_lib directory after piping all commands through either find . -exec /bin/sh | or directly through the find . -exec command to elevate privileges enough to use the directory privileges at system level which allow a cgi execution and a `SymLink with User Access Role Authenticity for authenticated accounts on local system connections.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .