Complete TryHackMe CVE-2021-41773/42013

Amazing room TryHackMe CVE-2021-41773 / CVE-2021-42013 explaining how the new vulnerability on Apache Webserver 2.4.49 affecting the path normalization mechanism.

TryHackMe CVE-2021-41773
TryHackMe CVE-2021-41773

TryHackMe CVE-2021-41773

On the 5th of October 2021, a CVE detailing a path traversal attack on Apache HTTP Server v2.4.49 was released. Assigned the number CVE-2021-41773, it was released with the following description:

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally (sic) this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

TryHackMe
Room Link : TryHackMe CVE-2021-41773/42013

Task 1 – A Bit of Background…

Answer the questions below

What version of Apache httpd was initially vulnerable to this CVE?

Answer: 2.4.49

This vulnerability requires an unusual misconfiguration for it to be exploitable (Yea/Nay)

Answer: Yea

Task 2 – What is Path Traversal anyways?

Answer the questions below

A path traversal exploit will (choose the best answer):

  A) Include arbitrary remote files to be processed on the server.
  B) Include arbitrary local files to be processed on the server.
  C) Allow arbitrary files to be exposed by the server.
  D) None of the above.

Answer: C

URL-encode the . symbol

Answer: %2E

What does this URL fragment decode to: %%32%65 ?

Answer: %2e

Task 3 Ok, Ok; Gib Hax!

Answer the questions below

What module needs to be enabled in order to get remote code execution?

Answer: mod_cgi

Task 4 Practical Exam

Answer the questions below

What is the flag on port 8080?

Answer: THM{724V3R51N6_P4TH5_OMMITED_RFS}

What is the flag on port 8081?

Answer: THM{2C3_F20M_RFS}

What is the flag on port 8082?

Answer: THM{D0UBL3_3NC0D1N6_RFS}

What is the flag on port 8083?

Answer: THM{F1L732_8YP455_RFS}

What user is the Apache server running as?

Answer: daemon

Find the root flag on the machine on port 8083?

Answer: THM{P21V_35C_F20M_4P4CH3_OMMITED_RFS}

Complete TryHackMe Walktroughs