ðŸŠķApache HTTP Server Path Traversal: CVE-2021-41773/42013

A small explanation of an Apache path traversal bug and an incomplete fix

https://tryhackme.com/room/cve202141773
Room Attributes
Value

Subscription Required

False [Free]

Type

Walkthrough

Difficulty

Info

Tags

Security, Apache, CVE-2021-41773, CVE-2021-42013

Task 1 - A Bit of Background...

What version of Apache httpd was initially vulnerable to this CVE?

Reveal Flag ðŸšĐ

ðŸšĐ2.4.49

This vulnerability requires an unusual misconfiguration for it to be exploitable (Yea/Nay)

Reveal Flag ðŸšĐ

ðŸšĐYea

Task 2 - What is Path Traversal anyways?

A path traversal exploit will (choose the best answer):

  • A) Include arbitrary remote files to be processed on the server.

  • B) Include arbitrary local files to be processed on the server.

  • C) Allow arbitrary files to be exposed by the server.

  • D) None of the above.

Reveal Flag ðŸšĐ

ðŸšĐC

URL-encode the . symbol

Reveal Flag ðŸšĐ

ðŸšĐ%2E

What does this URL fragment decode to: %%32%65 ?

Reveal Flag ðŸšĐ

ðŸšĐ%2e

Task 3 - Ok, Ok; Gib Hax!

What module needs to be enabled in order to get remote code execution?

Reveal Flag ðŸšĐ

ðŸšĐmod_cgi

Task 4 - Practical Exam

What is the flag on port 8080?

Reveal Flag ðŸšĐ

ðŸšĐTHM{724V3R51N6_P4TH5_F02_FUN}

What is the flag on port 8081?

Reveal Flag ðŸšĐ

ðŸšĐTHM{2C3_F20M_C61}

What is the flag on port 8082?

Reveal Flag ðŸšĐ

ðŸšĐTHM{D0UBL3_3NC0D1N6_F7W}

What is the flag on port 8083?

Reveal Flag ðŸšĐ

ðŸšĐTHM{F1L732_8YP455_2C3}

I was able to pop a shell! (I can't actually verify this, so I'll trust you on that one :))

What user is the Apache server running as?

Reveal Flag ðŸšĐ

ðŸšĐdaemon

Find the root flag on the machine on port 8083?

Reveal Flag ðŸšĐ

ðŸšĐTHM{P21V_35C_F20M_4P4CH3_15_FUN}

Last updated