'Allow directory traversal with Apache2

I'm trying to create a CTF for a project. One of my goals is to set up an Apache web server that allows directory traversal so people attempting my CTF can traverse to my root directory and access a folder containing an encrypted file. I want them to be able to download this file so they can unencrypt it on their machine. However, I don't even know where to start with allowing directory traversal. I've never really used Apache web server before and everything I find online is about preventing directory traversal.

I'm using Apache2 on an Ubuntu 12.04 VM.

apache2penetration-testingdirectory-traversal


Solution 1:[1]

I got a good enough workaround going.

First, I changed DocumentRoot in /etc/apache2/sites-available/default to "/" so that the server could access everything in / and created an index.html file in / so that the Apache server would know what to render. Inside of index.html is just

    <html><script>location="/home/user/server/index.html";</script>

Which render the actual index to display. I did this to make it more obvious that some kind of directory traversal would be done. By doing this, the path that is displayed to visitors is http://192.168.xx.xx/home/user/server/index.html.

Then, I added a wildcard directory:

  <Directory ~ "/*">
        Options +Indexes
  </Directory>

so that the users could enter any folder within the root directory. Now, when anyone visits 192.168.xx.xx they are routed to 192.168.xx.xx/home/user/server/index.html and if they enter anything else, say 192.168.xx.xx/etc/passwd the file will be displayed to them.

I know this isn't true directory traversal, but it is solution enough for this project.

Solution 2:[2]

Apache itself will not allow a directory traversal vulnerability to be created. You will need to use something like PHP where you pass a ?file=filename parameter and use open() with that value.

The PHP open() function will interpret the ../../ sequences necessary to escape the "intended" directory. However Apache itself will not allow that.

Solution 3:[3]

Minimal example with PHP

  1. Also install PHP:

    sudo apt install php

  2. Clear the web root:

    sudo rm -rf /var/www/html/*

  3. Create /var/www/html/index.php with the following content:

    <?php
$p = 'home.php';
if (isset($_GET['p']))
  $p = $_GET['p'];
include ($p);
?>

  4. Create /var/www/html/home.php with the following content:

    <!DOCTYPE html>
<html>
  <head>
    <title>Read World!</title>
  </head>
  <body>
    <a href="?p=home.php">home</a>
  </body>
</html>

  5. Exploit, e. g.:

    curl http://<IP>/?p=../../../etc/passwd

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Jeffrey Carr
Solution 2 ebuntu
Solution 3 stackprotector

Related Questions

URLError: urlopen error timed out

apache2 and mod wsgi : Target WSGI script cannot be loaded as Python module

How to auto-load index.html in sub-directories with Apache 2

Python's working directory when running with WSGI and Apache

Redirect is not allowed for a preflight request

Docker Wordpress tar: <file> Cannot change ownership to uid 33, gid 33: Operation not permitted

How to override header set in Apache config with more specific header in a virtual host

Pulling updates from Git on running project

Apache Alias - Yii2

wsgi error: Address already in use - socketio/django/apache2

Apache performance tuning for high traffic with MPM Event

Django - WSGI script cannot be loaded as Python module

PHPMyAdmin not working as intended at remote server. Error 500, $respond not found

serviceWorker on LAMP doesn't exist

(38)Function not implemented: AH00141: Could not initialize random number generator