Allow directory traversal with Apache2

1.4k Views Asked by Jeffrey Carr At 02 April 2021 at 20:19

I'm trying to create a CTF for a project. One of my goals is to set up an Apache web server that allows directory traversal so people attempting my CTF can traverse to my root directory and access a folder containing an encrypted file. I want them to be able to download this file so they can unencrypt it on their machine. However, I don't even know where to start with allowing directory traversal. I've never really used Apache web server before and everything I find online is about preventing directory traversal.

I'm using Apache2 on an Ubuntu 12.04 VM.

Original Q&A

There are 3 best solutions below

Jeffrey Carr On 02 April 2021 at 22:03

I got a good enough workaround going.

First, I changed DocumentRoot in /etc/apache2/sites-available/default to "/" so that the server could access everything in / and created an index.html file in / so that the Apache server would know what to render. Inside of index.html is just

    <html><script>location="/home/user/server/index.html";</script>

Which render the actual index to display. I did this to make it more obvious that some kind of directory traversal would be done. By doing this, the path that is displayed to visitors is http://192.168.xx.xx/home/user/server/index.html.

Then, I added a wildcard directory:

  <Directory ~ "/*">
        Options +Indexes
  </Directory>

so that the users could enter any folder within the root directory. Now, when anyone visits 192.168.xx.xx they are routed to 192.168.xx.xx/home/user/server/index.html and if they enter anything else, say 192.168.xx.xx/etc/passwd the file will be displayed to them.

I know this isn't true directory traversal, but it is solution enough for this project.

ebuntu On 06 April 2021 at 19:12

Apache itself will not allow a directory traversal vulnerability to be created. You will need to use something like PHP where you pass a ?file=filename parameter and use open() with that value.

The PHP open() function will interpret the ../../ sequences necessary to escape the "intended" directory. However Apache itself will not allow that.

stackprotector On 04 March 2022 at 12:01

Minimal example with PHP

Also install PHP:
```
sudo apt install php
```
Clear the web root:
```
sudo rm -rf /var/www/html/*
```

Create /var/www/html/index.php with the following content:

<?php
$p = 'home.php';
if (isset($_GET['p']))
  $p = $_GET['p'];
include ($p);
?>

Create /var/www/html/home.php with the following content:

<!DOCTYPE html>
<html>
  <head>
    <title>Read World!</title>
  </head>
  <body>
    <a href="?p=home.php">home</a>
  </body>
</html>

Exploit, e. g.:

curl http://<IP>/?p=../../../etc/passwd

Allow directory traversal with Apache2

There are 3 best solutions below

Minimal example with PHP

Related Questions in APACHE2

Related Questions in PENETRATION-TESTING

Related Questions in DIRECTORY-TRAVERSAL

Trending Questions

Popular # Hahtags

Popular Questions