# Apache HTTP Server Path Traversal: CVE-2021-41773/42013 {% embed url="" %} {% endembed %} | Room Attributes | Value | | --------------------- | ---------------------------------------------------------------------- | | Subscription Required | False \[Free] | | Type | Walkthrough | | Difficulty | Info | | Tags | Security, Apache, CVE-2021-41773, CVE-2021-42013 | ## Task 1 - A Bit of Background... ### What version of Apache httpd was initially vulnerable to this CVE?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`2.4.49`
### This vulnerability requires an unusual misconfiguration for it to be exploitable (Yea/Nay)
Reveal Flag 🚩 :triangular\_flag\_on\_post:`Yea`
## Task 2 - What is Path Traversal anyways? ### A path traversal exploit will (choose the best answer): * A) Include arbitrary remote files to be processed on the server. * B) Include arbitrary local files to be processed on the server. * C) Allow arbitrary files to be exposed by the server. * D) None of the above.
Reveal Flag 🚩 :triangular\_flag\_on\_post:`C`
### URL-encode the . symbol {% hint style="warning" %} **HINT:** Uppercase hex is the preferred standard by the RFC (though lowercase is equivalent, this answer should be in uppercase) {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`%2E`
### What does this URL fragment decode to: %%32%65 ?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`%2e`
## Task 3 - Ok, Ok; Gib Hax! ### What module needs to be enabled in order to get remote code execution? {% hint style="warning" %} **HINT:** There are technically two different modules depending on if another module is enabled. This answer uses the shorter of the two. {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`mod_cgi`
## Task 4 - Practical Exam ### What is the flag on port 8080?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`THM{724V3R51N6_P4TH5_F02_FUN}`
### What is the flag on port 8081?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`THM{2C3_F20M_C61}`
### What is the flag on port 8082?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`THM{D0UBL3_3NC0D1N6_F7W}`
### What is the flag on port 8083?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`THM{F1L732_8YP455_2C3}`
### I was able to pop a shell! (I can't actually verify this, so I'll trust you on that one :)) {% hint style="warning" %} **HINT:** If you need some help with the shell, visit {% endhint %} {% hint style="success" %} No answer needed {% endhint %} ### What user is the Apache server running as?
Reveal Flag 🚩 :triangular\_flag\_on\_post:`daemon`
### Find the root flag on the machine on port 8083? {% hint style="warning" %} **HINT:** The root password is: ApacheCVE {% endhint %}
Reveal Flag 🚩 :triangular\_flag\_on\_post:`THM{P21V_35C_F20M_4P4CH3_15_FUN}`
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thmflags.gitbook.io/thm-walkthroughs/difficulty-info/cve-walkthroughs/apache-http-server-path-traversal-cve-2021-41773-42013.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.