I am attempting to solve a CTF challenge where I am logged in as a member of the www-data group and the apache2 service is misconfigured and can be run as sudo without a password. What I am attempting to do is access a token stored at /root/token.txt
. From what I can gather I need to get apache2 to run a shell script with it's elevated privileges on start-up. The file /etc/apache2/conf-enabled/serve-cgi-bin.conf
reads:
<IfModule mod_alias.c>
<IfModule mod_cgi.c>
Define ENABLE_USR_LIB_CGI_BIN
</IfModule>
<IfModule mod_cgid.c>
Define ENABLE_USR_LIB_CGI_BIN
</IfModule>
<IfDefine ENABLE_USR_LIB_CGI_BIN>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all granted
</Directory>
</IfDefine>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
So I tried to write shell script to /usr/lib/cgi-bin
but I didn't have permission, I also don't have permission to edit the serve-cgi-bin.conf
file so I can't point the cgi-bin
at a different directory.
sudo
? One alternative would be to write your own apache config, with paths that you have write access to...apache2
, however,sudo apache2
still asks for a password andapache2
returns the error:Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot.
How would I change the config to be the one that I have written?man apache2
will likely give you hints.apache2.conf
with the-f
flag, and after changing my by runningsource envvars
I now recieve the errormake_sock: could not bind to address 0.0.0.0:80
. So I changed the listen port inports.conf
to81
but I am still recieving the same error about attempting to bind to port 80.