Description
Obtain RCE on the host calculator.edu.stf (10.124.1.232) by exploiting a business logic vulnerability.
To get the flag, run the script /home/rceflag.
<aside> 💡
Again, this might be another UNINTENDED solution, but we still achieved the RCE and obtained the flag. The challenge hints at business logic vulnerabilities, but I discovered other critical vulnerabilities during our early reconnaissance and proceeded with those instead.
</aside>
As usual, the first thing I always do is scan our targets using nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 6c:ae:40:fe:62:06:3e:08:f4:96:f1:7d:22:63:ac:dd (RSA)
| 256 8a:be:5e:69:a5:62:26:4b:60:cb:45:c4:bd:7a:47:c5 (ECDSA)
|_ 256 93:50:2d:84:88:cc:50:99:6d:be:c0:05:50:08:c2:eb (ED25519)
80/tcp open http Apache httpd 2.4.49 ((Unix))
|_http-server-header: Apache/2.4.49 (Unix)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Apache2 Debian Default Page: It works
8080/tcp open http Golang net/http server
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Content-Length: 619
| Content-Type: text/html; charset=utf-8
| Last-Modified: Mon, 19 Feb 2024 10:24:56 GMT
| Date: Sun, 07 Sep 2025 17:15:45 GMT
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="UTF-8" />
| </head>
| <body>
| <div>
| <p>Request for nuclear power plant capacity for legal entities</p>
| <form method="POST" action="/">
| <label for="temp">Specify the required amount of MegaWatts</label>
| <input name="temp" type="number" min="0" max="100" id="temp"/>
| <input type="submit" value="Test">
| </form>
| </div>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.0 200 OK
| Date: Sun, 07 Sep 2025 17:15:45 GMT
| Content-Length: 40
| Content-Type: text/plain; charset=utf-8
| Only GET and POST methods are supported.
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
|_ Request
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port8080-TCP:V=7.95%I=7%D=9/7%Time=68BDBDC0%P=x86_64-pc-linux-gnu%r(Get
SF:Request,324,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nConte
SF:nt-Length:\x20619\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nLa
SF:st-Modified:\x20Mon,\x2019\x20Feb\x202024\x2010:24:56\x20GMT\r\nDate:\x
SF:20Sun,\x2007\x20Sep\x202025\x2017:15:45\x20GMT\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html>\n\x20\x20\x20\x20\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"UTF-8\"\
SF:x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20</head>\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20<div>\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<p>Request\x20for\x20nuclear\
SF:x20power\x20plant\x20capacity\x20for\x20legal\x20entities</p>\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20<form\x20method=\"POST\"\x20action=\"/\">\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<label\x20for=\"temp\">Sp
SF:ecify\x20the\x20required\x20amount\x20of\x20MegaWatts</label>\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<input\x20name=\"temp\
SF:"\x20type=\"number\"\x20min=\"0\"\x20max=\"100\"\x20id=\"temp\"/>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<input\x20type=\"s
SF:ubmit\"\x20value=\"Test\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20</form>\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20</div>\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20</body>\n</html>\n")%r(HTTPOptions,9D,"HTTP/1\.
SF:0\x20200\x20OK\r\nDate:\x20Sun,\x2007\x20Sep\x202025\x2017:15:45\x20GMT
SF:\r\nContent-Length:\x2040\r\nContent-Type:\x20text/plain;\x20charset=ut
SF:f-8\r\n\r\nOnly\x20GET\x20and\x20POST\x20methods\x20are\x20supported\."
SF:)%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 42.94 seconds
And surprisingly! from the output, we can already noticed a critical vulnerability related to Apache httpd 2.4.49 ((Unix))
checkout:
Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
Without wasting time, I just searched for the exploit module in Metasploit
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo msfconsole
Metasploit tip: Use the 'capture' plugin to start multiple
authentication-capturing and poisoning services
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v6.4.84-dev ]
+ -- --=[ 2,547 exploits - 1,309 auxiliary - 1,683 payloads ]
+ -- --=[ 432 post - 49 encoders - 13 nops - 9 evasion ]
Metasploit Documentation: <https://docs.metasploit.com/>
The Metasploit Framework is a Rapid7 Open Source Project
msf > search Apache httpd 2.4.49
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/apache_normalize_path_rce 2021-05-10 excellent Yes Apache 2.4.49/2.4.50 Traversal RCE
1 \_ target: Automatic (Dropper) . . . .
2 \_ target: Unix Command (In-Memory) . . . .
3 auxiliary/scanner/http/apache_normalize_path 2021-05-10 normal No Apache 2.4.49/2.4.50 Traversal RCE scanner
4 \_ action: CHECK_RCE . . . Check for RCE (if mod_cgi is enabled).
5 \_ action: CHECK_TRAVERSAL . . . Check for vulnerability.
6 \_ action: READ_FILE . . . Read file on the remote server.
Interact with a module by name or index. For example info 6, use 6 or use auxiliary/scanner/http/apache_normalize_path
After interacting with a module you can manually set a ACTION with set ACTION 'READ_FILE'
And yes, the exploit is available in Metasploit.
Set the exploit options and we instantly popped the shell.. Run /home/rceflag and we get the flag..