🪶Apache HTTP Server Path Traversal: CVE-2021-41773/42013

A small explanation of an Apache path traversal bug and an incomplete fix

Room Attributes

Value

Subscription Required

False [Free]

Type

Walkthrough

Difficulty

Info

Task 1 - A Bit of Background...

What version of Apache httpd was initially vulnerable to this CVE?

Reveal Flag 🚩

🚩2.4.49

This vulnerability requires an unusual misconfiguration for it to be exploitable (Yea/Nay)

Reveal Flag 🚩

🚩Yea

Task 2 - What is Path Traversal anyways?

A path traversal exploit will (choose the best answer):

A) Include arbitrary remote files to be processed on the server.
B) Include arbitrary local files to be processed on the server.
C) Allow arbitrary files to be exposed by the server.
D) None of the above.

Reveal Flag 🚩

🚩C

URL-encode the . symbol

HINT: Uppercase hex is the preferred standard by the RFC (though lowercase is equivalent, this answer should be in uppercase)

Reveal Flag 🚩

🚩%2E

What does this URL fragment decode to: %%32%65 ?

Reveal Flag 🚩

🚩%2e

Task 3 - Ok, Ok; Gib Hax!

What module needs to be enabled in order to get remote code execution?

HINT: There are technically two different modules depending on if another module is enabled. This answer uses the shorter of the two.

Reveal Flag 🚩

🚩mod_cgi

Task 4 - Practical Exam

What is the flag on port 8080?

Reveal Flag 🚩

🚩THM{724V3R51N6_P4TH5_F02_FUN}

What is the flag on port 8081?

Reveal Flag 🚩

🚩THM{2C3_F20M_C61}

What is the flag on port 8082?

Reveal Flag 🚩

🚩THM{D0UBL3_3NC0D1N6_F7W}

What is the flag on port 8083?

Reveal Flag 🚩

🚩THM{F1L732_8YP455_2C3}

I was able to pop a shell! (I can't actually verify this, so I'll trust you on that one :))

HINT: If you need some help with the shell, visit https://www.revshells.com/

No answer needed

What user is the Apache server running as?

Reveal Flag 🚩

🚩daemon

Find the root flag on the machine on port 8083?

HINT: The root password is: ApacheCVE

Reveal Flag 🚩

🚩THM{P21V_35C_F20M_4P4CH3_15_FUN}

PreviousPwnkit: CVE-2021-4034 NextDirty Pipe: CVE-2022-0847

Last updated 3 years ago

hashtagTask 1 - A Bit of Background...

hashtagWhat version of Apache httpd was initially vulnerable to this CVE?

hashtagThis vulnerability requires an unusual misconfiguration for it to be exploitable (Yea/Nay)

hashtagTask 2 - What is Path Traversal anyways?

hashtagA path traversal exploit will (choose the best answer):

hashtagURL-encode the . symbol

hashtagWhat does this URL fragment decode to: %%32%65 ?

hashtagTask 3 - Ok, Ok; Gib Hax!

hashtagWhat module needs to be enabled in order to get remote code execution?

hashtagTask 4 - Practical Exam

hashtagWhat is the flag on port 8080?

hashtagWhat is the flag on port 8081?

hashtagWhat is the flag on port 8082?

hashtagWhat is the flag on port 8083?

hashtagI was able to pop a shell! (I can't actually verify this, so I'll trust you on that one :))

hashtagWhat user is the Apache server running as?

hashtagFind the root flag on the machine on port 8083?

Task 1 - A Bit of Background...

What version of Apache httpd was initially vulnerable to this CVE?

This vulnerability requires an unusual misconfiguration for it to be exploitable (Yea/Nay)

Task 2 - What is Path Traversal anyways?

A path traversal exploit will (choose the best answer):

URL-encode the . symbol

What does this URL fragment decode to: %%32%65 ?

Task 3 - Ok, Ok; Gib Hax!

What module needs to be enabled in order to get remote code execution?

Task 4 - Practical Exam

What is the flag on port 8080?

What is the flag on port 8081?

What is the flag on port 8082?

What is the flag on port 8083?

I was able to pop a shell! (I can't actually verify this, so I'll trust you on that one :))

What user is the Apache server running as?

Find the root flag on the machine on port 8083?