17Kas
Exploit apache2 service as member of www-data group
I am attempting to solve a CTF challenge where I am logged in as a member of the www-data group and the apache2 service is misconfigured and can be run as sudo without a password. What I am attempting to do is access a token stored at /root/token.txt. From what I can gather I need to get apache2 to run a shell script with it's elevated privileges on start-up. The file /etc/apache2/conf-enabled/serve-cgi-bin.conf reads:
<IfModule mod_alias.c>
<IfModule mod_cgi.c>
Define ENABLE_USR_LIB_CGI_BIN
</IfModule>
<IfModule mod_cgid.c>
Define ENABLE_USR_LIB_CGI_BIN
</IfModule>
<IfDefine ENABLE_USR_LIB_CGI_BIN>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all granted
</Directory>
</IfDefine>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
So I tried to write shell script to /usr/lib/cgi-bin but I didn't have permission, I also don't have permission to edit the serve-cgi-bin.conf file so I can't point the cgi-bin at a different directory.
