Hak5
Save 10% at GoDaddy.com with coupon code HAK

Windows Apache and Junction Hack

From Hak5

Jump to: navigation, search
This article (or section) may need to be wikified.
Please help improve this article, especially its introduction, section layout, and relevant internal links.
This article has been tagged since February 2007.

Background Information

This hack was submitted to the Hak.5 forums by gameman733. Apache is a webserver, it's open source and is typically run on Linux and other Unix-like operating systems. There is a Windows build available but it is not widely used in Enterprise level systems. The Windows build can be run as a service, under the System account by default. This default setting of running under the System account is what makes this hack possible.

Junction is a small program made by Mark Russinovich, of Sysinternals. NTFS has a feature called junctions, and they basically work like a symbolic link in Linux. You can make a directory link to another directory on the file system.

The Hack

So what can we do with all this? Well, if you can get physical access to the machine (a desktop at least and a way to upload files), and have write access to any directory Apache reads from, you can gain full control over the computer. Heres how,

1. Find the directories Apache is reading from. Apache can read from your home directories (if its set, which it was in the case at my school), so make sure you try that ( http://localhost/~username/ ). If you can find one you can write to then your set, otherwise you cant do much of anything. The easiest place to check is the conf (assuming default permissions).

2. Get junction from Sysinternal's website. Its a command prompt program, so you will either need cmd or you can make a small VB app to run it (if its a server, im guessing there are going to be some restrictions on it.). If you can use cmd, go to your directory where junction is, and type in 

junction.exe C:\path\to\writable\directory\newdir C:\

What that will do is make it so that when you go to C:\path\to\writable\directory\newdir, it shows whats in your C:\ drive.

3. Thats pretty much the basics, you have full read/write access to C:. If PHP is installed, you can grab a small PHP script from somewhere (i dont know of any right off hand) and use it as a file browser, or make your own httpd.conf changes (using php again), or custom web pages or whatever.

WARNING: Hak.5, gameman733 and the various contributors to this article take no responsibility for the consequences of your actions. This hack should only be attempted with the explicit permission of the administrator of the Apache server.

Retrieved from "http://wiki.hak5.org/wiki/Windows_Apache_and_Junction_Hack"