Apache HTTP server

Apache HTTP server
https://httpd.apache.org/ One of the most common web servers found in the wild. Different versions have known vulnerabilities, for which public exploits are available. Interesting options and tips: By default, Kali linux comes with Apache HTTP server installed, and often we will copy files to our local folder /var/www/html to download them to a compromised machine where we have a remote shell. To enable our local Apache server we must do: service apache2 start or systemctl start apache2 Then we can download files from there using the target machine (via wget, curl, web browser, etc). The default page shown in a browser is index.html. For example, from the target we would do: wget 192.168.1.100/privesc.py Being the latter our Kali machine's IP, and a privilege escalation script we have copied in /var/www/html/.

Tips: One of the most important headers is Host. The Host header is mainly used by the web server to know what web site you are trying to access. When more than one website is hosted on the same server, the web server uses this header to do virtual-hosting: even if you are always connecting to the same IP address, the server reads the Host information and serves the right content based on this. If you put the IP address in the Host header or an invalid hostname, you can sometimes get another website and get extra-information from this. In XAMMP, virtual hosts are configured in xampp\apache\conf\extra\httpd.vhosts.conf
 * Virtual hosting:

An indication that virtual hosting might be in use is that when we browse an IP we arrive at apache's default welcome page, but when we browse a URL we get to an actual site. We can edit our /etc/hosts, to relate different URLs (that we should know beforehand to the same server IP). Likewise, we can pass the http request through Burpsuite, and change the IP for the URL. If we edit /etc/hosts, we can use directory brute force, for example with dirbuster, using the URL, and not the IP.

Checking external access to our Apache server (for example, to debug if we have problems while trying to download files to a compromised machine using a reverse shell, and we are trying to download files hosted on our Kali):
 * Access check:

tail -f /var/log/apache2/access.log

We can see in real time access attempts to our server. An alternative is simple HTTP python server (google and copy the files in a script, then run it. The advantage of the simple HTTP server is that it doesn't execute php code, so we can download php files hosted in our computer without changing to text, or echoing the contents, since they will not be executed when we try to access them, as happens in Apache).

If from an Nmap scan we find that a server has a Ubuntu OS, and we find also the apache version (by looking at the services running on the HTTP server, with nmap -sV), we have a high chance of finding the Ubuntu version, since each Ubuntu version is shipped with a different version of Apache. Check in this website:
 * Determine Ubuntu version with Apache version:

https://packages.ubuntu.com/search?suite=all&searchon=names&keywords=apache

Content negotiation, or more accurately content selection, is the selection of the document that best matches the clients capabilities, from one of several available documents. Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15.
 * Apache multiviews:


 * RFI and LFI:

Most servers reject remote file inclusion by default, with a php configuration file (setting to "off" options like allow_url_fopen and allow_url_include). In XAMMP this file is in xammp/apache/bin/php. In this case, we get an error saying the url file access is disabled in the server configuration. Then, we need to do local file inclusion. One way to do it is to connect to the http server and paste, for example, php code. It will get recorded in access logs, alongside many connections by other users. We can then try to include this local file, and hopefully php will execute the code we managed to smuggle there. We can, for example, connect to the server with netcat and send some php code, which will get registered in apache/log/access. Then we will try to access the file by referencing it with ../ directory traversal