## CVE-2021–41773/42013
Apache Path Traversal Bug TryHackMe Room
CVE-2021–41773 is a vulnerability that affects Apache HTTP Server v2.4.49 and not earlier versions. There are two key things to understand about this vulnerability: path normalization and the need to protect unintended files with “require all denied.”
Path normalization refers to the process of transforming a given path into a canonical form that the software can understand and then map to the actual file system. A path traversal attack can occur if unintended files can be read as a result of incomplete or incorrect path normalization.
To prevent such attacks, unintended files must be protected by “require all denied.” This bug was fixed in v2.4.50 but not completely. Another CVE (CVE-2021–41773) was released to address the previous bug because the fix was incomplete. It was still possible to traverse to unintended files if the path used an alias directive to map its URLs to the file system. Additionally, the attack only worked if the file was not protected by “require all denied.”
Normalization:
When a relative path is given to a code, it is normalized to a canonical path to find the resource. This attack takes advantage of both URL encoding and a flaw in the Alias module (which is used for normalization).
Questions and Answers from the room:
1. What version of Apache httpd was initially vulnerable to this CVE?
-> 2.4.49
2. This vulnerability requires an unusual misconfiguration for it to be exploitable (Yea/Nay)
-> Yea
3. A path traversal exploit will (choose the best answer):
A) Include arbitrary remote files to be processed on the server.
B) Include arbitrary local files to be processed on the server.
C) Allow arbitrary files to be exposed by the server.
D) None of the above.
-> C
4. URL-encode the . symbol
-> %2E
5. What does this URL fragment decode to: %%32%65 ?
-> %2e
6. What module needs to be enabled in order to get remote code execution?
-> mod_cgi
7. What is the flag on port 8080?
-> THM{724V3R51N6_P4TH5_F02_FUN}
8. What is the flag on port 8081?
-> THM{2C3_F20M_C61}
9. What is the flag on port 8082?
-> THM{D0UBL3_3NC0D1N6_F7W}
10. What is the flag on port 8083?
-> THM{F1L732_8YP455_2C3}
11. What user is the Apache server running as?
-> daemon
12. Find the root flag on the machine on port 8083?
-> THM{P21V_35C_F20M_4P4CH3_15_FUN}
