# JerseyCTF IV 2024 Write Up LFI to RCE, Apache 2.4.49 Exploit URL: https://ctf.jerseyctf.com/ <br> ## Require-all-denied Web Exploitation Based on: [CVE-2021-41773](https://github.com/thehackersbrain/CVE-2021-41773) ### Description We found this control panel on the Internet. It seems to be broken. Can you find out more information? [Access Here!](http://54.160.214.145:1337/) Developed by: [Noah Jacobson](https://github.com/noahajac) ### Enumeration  On the main page, there is nothing interesting but the url seems a bit odd. > [http://54.160.214.145:1337/cgi-bin/index/](http://54.160.214.145:1337/cgi-bin/index/) Looks like the server is using apache. Try search the version by look at web header.  <br> :notebook_with_decorative_cover: Take a Note * [ ] Server: Apache/2.4.49 (Debian) * [ ] Can't access route "**/cgi-bin**" and gave forbidden (**405**) but can access other route like "**/cgi-bin/travel"** and "**/cgi-bin/status**" * [ ] Possible LFI * [ ] Try search the server vulnerability with keyword "**apache 2.4.49 exploit**" <br> ### Exploit #### Apache 2.4.49 Exploit From here, I know that the vulnerabilities lies on path traversal (LFI) and could lead to RCE. > [https://blog.intelliroot.com/2023/06/path-traversal-and-remote-code.html](https://blog.intelliroot.com/2023/06/path-traversal-and-remote-code.html) Found payload from the blog above using: ```bash curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; whoami' ``` where the basic idea is to back from previous path using ( **../** ). In the payload, using double encoding to avoid being detected/find a way so the code will work: * ../ will be .%2e (**%2e** is url encoding equal **.**) * .%2e will be .%%32%65 (**%32** equal **2** and **%65** equal **e**)  go to ../bin/sh to run a shell with given payload on the body  got it. :::success jctf{plz\_p4tch\_y0ur\_s3rv3rs} ::: ---