InfoSec LAB

Apache

Checking the web service directory after performing a manual enumeration

PS C:\> cd C:\xampp ; ls
 
 
    Directory: C:\xampp
 
 
Mode                LastWriteTime         Length Name                                              
----                -------------         ------ ----                                              
d-----        7/13/2021   3:22 AM                apache                                            
d-----        7/13/2021   3:22 AM                cgi-bin                                           
d-----        7/13/2021   3:22 AM                contrib                                           
d-----        7/13/2021   3:22 AM                FileZillaFTP                                      
d-----         4/8/2025  11:56 AM                htdocs                                            
d-----        7/13/2021   3:22 AM                install                                           
d-----        7/13/2021   3:22 AM                licenses                                          
d-----        7/13/2021   3:22 AM                locale                                            
d-----        7/13/2021   3:22 AM                MercuryMail                                       
d-----        7/13/2021   3:23 AM                mysql                                             
d-----        7/13/2021   3:23 AM                perl                                              
d-----        7/13/2021   3:23 AM                php                                               
d-----        7/13/2021   3:23 AM                phpMyAdmin                                        
d-----        7/13/2021   3:23 AM                sendmail                                          
d-----         4/8/2025  11:04 AM                tmp                                               
d-----        7/13/2021   3:23 AM                tomcat                                            
d-----        7/13/2021   3:23 AM                webalizer                                         
d-----        7/13/2021   3:23 AM                webdav                                            
-a----         6/7/2013  11:15 AM            436 apache_start.bat                                  
-a----        10/1/2019   7:13 AM            190 apache_stop.bat                                   
-a----         4/5/2021   4:16 PM          10324 catalina_service.bat                              
-a----         4/5/2021   4:17 PM           3766 catalina_start.bat                                
-a----         4/5/2021   4:17 PM           3529 catalina_stop.bat                                 
-a----         6/3/2019  11:39 AM            471 mysql_start.bat                                   
-a----        10/1/2019   7:13 AM            270 mysql_stop.bat                                    
-a----        3/13/2017  11:04 AM            824 passwords.txt                                     
-a----         6/8/2021   6:51 AM           7651 readme_de.txt                                     
-a----         6/8/2021   6:51 AM           7513 readme_en.txt                                     
-a----       11/12/2015   4:13 PM            370 setup_xampp.bat                                   
-a----       11/29/2020   1:38 PM           1671 test_php.bat                                      
-a----         4/6/2021  11:38 AM        3368448 xampp-control.exe                                 
-a----         4/5/2021   4:08 PM            978 xampp-control.ini                                 
-a----        3/30/2013  12:29 PM         118784 xampp_start.exe                                   
-a----        3/30/2013  12:29 PM         118784 xampp_stop.exe

It was an Apache web server from an XAMPP installation

PS C:\xampp> icacls C:\xampp\htdocs
C:\xampp\htdocs CRAFT\apache:(OI)(CI)(F)
                CRAFT\apache:(I)(OI)(CI)(F)
                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                BUILTIN\Administrators:(I)(OI)(CI)(F)
                BUILTIN\Users:(I)(OI)(CI)(RX)
                BUILTIN\Users:(I)(CI)(AD)
                BUILTIN\Users:(I)(CI)(WD)
                CREATOR OWNER:(I)(OI)(CI)(IO)(F)
 
Successfully processed 1 files; Failed processing 0 files

It would appear that anyone can write to the web root directory; C:\xampp\htdocs This was noted by PEAS as well

PS C:\xampp\htdocs> echo test123 > test.txt
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ curl http://$IP/test.txt --output -
��test123

This would mean that I can make a lateral movement to the apache account by writing a PHP shell to the web root directory

InfoSec LAB

Explorer

Craft_Apache

Apache

Interactive Graph View

Backlinks