CODEWITHSUNDEEP
apache2penetration-testingdirectory-traversal
Jeffrey Carr
Jeffrey Carr

Reputation: 157

Allow directory traversal with Apache2

I'm trying to create a CTF for a project. One of my goals is to set up an Apache web server that allows directory traversal so people attempting my CTF can traverse to my root directory and access a folder containing an encrypted file. I want them to be able to download this file so they can unencrypt it on their machine. However, I don't even know where to start with allowing directory traversal. I've never really used Apache web server before and everything I find online is about preventing directory traversal.

I'm using Apache2 on an Ubuntu 12.04 VM.

Upvotes: 1

Views: 2491

Answers (3)

stackprotector
stackprotector

Reputation: 13588

Minimal example with PHP

  1. Also install PHP:

    sudo apt install php

  2. Clear the web root:

    sudo rm -rf /var/www/html/*

  3. Create /var/www/html/index.php with the following content:

    <?php
$p = 'home.php';
if (isset($_GET['p']))
  $p = $_GET['p'];
include ($p);
?>

  4. Create /var/www/html/home.php with the following content:

    <!DOCTYPE html>
<html>
  <head>
    <title>Read World!</title>
  </head>
  <body>
    <a href="?p=home.php">home</a>
  </body>
</html>

  5. Exploit, e. g.:

    curl http://<IP>/?p=../../../etc/passwd

Upvotes: 0

ebuntu
ebuntu

Reputation: 181

Apache itself will not allow a directory traversal vulnerability to be created. You will need to use something like PHP where you pass a ?file=filename parameter and use open() with that value.

The PHP open() function will interpret the ../../ sequences necessary to escape the "intended" directory. However Apache itself will not allow that.

Upvotes: 0

Jeffrey Carr
Jeffrey Carr

Reputation: 157

I got a good enough workaround going.

First, I changed DocumentRoot in /etc/apache2/sites-available/default to "/" so that the server could access everything in / and created an index.html file in / so that the Apache server would know what to render. Inside of index.html is just

    <html><script>location="/home/user/server/index.html";</script>

Which render the actual index to display. I did this to make it more obvious that some kind of directory traversal would be done. By doing this, the path that is displayed to visitors is http://192.168.xx.xx/home/user/server/index.html.

Then, I added a wildcard directory:

  <Directory ~ "/*">
        Options +Indexes
  </Directory>

so that the users could enter any folder within the root directory. Now, when anyone visits 192.168.xx.xx they are routed to 192.168.xx.xx/home/user/server/index.html and if they enter anything else, say 192.168.xx.xx/etc/passwd the file will be displayed to them.

I know this isn't true directory traversal, but it is solution enough for this project.

Upvotes: 0

Related Questions