Objective 1 – Apache Path Traversal Exploit (CVE-2021-41773)

Exploit Name: Apache Path Traversal Vulnerability: Apache 2.4.49 mishandles URL encoding, allowing traversal beyond the document root using encoded dot-dot (../) sequences. Detailed Steps: 🔍 Scan: Use Nmap with -sV to detect open HTTP services and grab version banners. Confirm Apache 2.4.49. 🧐 Probe: Manually test URLs with encoded traversal patterns like: http://<IP>:<Port>/.%2e/.%2e/.%2e/.%2e/etc/passwd ✅ Confirm: If you get back system files (like /etc/passwd), that proves the vulnerability. 🔄 Explore: Try accessing other sensitive files (Apache configs, credential files) to assess full risk. Extra Detail: This vulnerability depends on directory overrides (AllowOverride All) and lack of strict Require rules. Remediation: Patch to 2.4.51+. Disable AllowOverride globally unless necessary. Set strict access controls (Require all denied) for parent folders.

Objective 1 – Apache Path Traversal Exploit (CVE-2021-41773)

Exploit Name: Apache Path Traversal
Vulnerability: Apache 2.4.49 mishandles URL encoding, allowing traversal beyond the document root using encoded dot-dot (../) sequences.

Detailed Steps:

• 🔍 Scan: Use Nmap with -sV to detect open HTTP services and grab version banners. Confirm Apache 2.4.49.

• 🧐 Probe: Manually test URLs with encoded traversal patterns like:
  http://<IP>:<Port>/.%2e/.%2e/.%2e/.%2e/etc/passwd

• ✅ Confirm: If you get back system files (like /etc/passwd), that proves the vulnerability.

• 🔄 Explore: Try accessing other sensitive files (Apache configs, credential files) to assess full risk.

Extra Detail: This vulnerability depends on directory overrides (AllowOverride All) and lack of strict Require rules.

Remediation:

• Patch to 2.4.51+.

• Disable AllowOverride globally unless necessary.

• Set strict access controls (Require all denied) for parent folders.

Objective 1 – Apache Remote Code Execution (CVE-2021-42013)

Exploit Name: Apache RCE via CGI
Vulnerability: Even after patching CVE-2021-41773, Apache 2.4.50 with CGI enabled is vulnerable to remote code execution using similar traversal techniques.

Detailed Steps:

• 🔍 Scan: Confirm version 2.4.50 using Nmap.

• 👀 Check: Look for the presence of cgi-bin or similar paths (hint: use Dirb/Nikto for this).

• ⚙ Test: Access a CGI script with crafted traversal (e.g., http://<IP>/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh).

• 🛠 Exploit: Once you confirm code execution (like a simple id or uname -a result), you can escalate by deploying a reverse shell payload using tools like Metasploit.

Extra Detail: This flaw is a patch bypass, showing why full defense-in-depth is needed (not just patching one bug).

Remediation:

• Update to 2.4.51+.

• Turn off CGI unless absolutely necessary.

• Harden the server with WAF protections and file-level permissions.

Objective 2 – WordPress Directory & Vulnerability Enumeration

Exploit Name: WordPress Enumeration
Vulnerability: Exposed files/directories and weak default configurations.

Detailed Steps:

• 🔍 Scan: Use Nmap to detect Apache & WordPress. Note ports (e.g., 8082).

• 📂 Directory Scanning: Run Dirb/Gobuster with common wordlists to map paths (wp-content/, .htaccess, etc.).

• 🛠 Vulnerability Scanning: Run Nikto to catch outdated components or unsafe headers.

• 👥 User Enumeration: Use Nmap NSE scripts to extract usernames via the /wp-json/wp/v2/users API or through XML-RPC pingbacks.

Extra Detail: Exposed files like readme.html, license.txt, and robots.txt can reveal exact version info—critical for targeted exploits.

Remediation:

• Disable directory listing (Options -Indexes in Apache).

• Keep everything updated.

• Apply .htaccess hardening and consider IP whitelisting for admin paths.

Objective 3 – Anonymous FTP Exploit

Exploit Name: Anonymous FTP + Secret Hash Retrieval
Vulnerability: FTP server allows anonymous login and has a broken passive-mode config (leaks internal IP for data connections).

Detailed Steps:

• 🔍 Scan: Use Nmap to identify open FTP ports (look for unusual ranges like 2001–2010).

• 🔑 Login: Try anonymous FTP access.

• 🛠 Passive Mode Check: Watch the server’s response to PASV—if it returns an internal IP (e.g., 172.18.0.6), note it.

• 🔄 Manual Adjustment: Set your client to use that internal IP (even though you're external) to complete listings.

• 📥 Retrieve: Locate and download the hash_YYYYMMDD.txt file, then decode it locally.

Extra Detail: The mismatch between control connection (public IP) and data connection (internal IP) is a classic FTP misconfiguration.

Remediation:

• Fully disable anonymous login.

• Correct the passive-mode public IP configuration.

• Firewall FTP ports to restrict access to trusted users.

Objective 4 – vsFTPd Backdoor

Exploit Name: vsFTPd 2.3.4 Backdoor
Vulnerability: Maliciously modified vsFTPd opens a root shell if the username contains :).

Detailed Steps:

• 🔍 Scan: Confirm vsFTPd 2.3.4 is running (Nmap banner grabbing).

• 🛠 Trigger: Connect with a username like test:).

• 🔓 Shell Access: Watch for a new port (typically 6200) opening—connect to it to gain a root shell.

• 💻 Confirm: Run commands like whoami to validate root access.

Extra Detail: This exploit is instant root, no password needed—super dangerous.

Remediation:

• Replace vsFTPd with a trusted, up-to-date build.

• Avoid FTP in favor of SFTP or SSH-based file transfer.

Objective 4 – MySQL Exploit

Exploit Name: MySQL Brute-Force
Vulnerability: Weak/default credentials allow attackers to log into the database.

Detailed Steps:

• 🔍 Scan: Detect MySQL (port 3306).

• 🛠 Brute-Force: Run a password spray using a tool like Metasploit’s mysql_login.

• 🔓 Access: If successful, browse databases to harvest data (users, hashed passwords).

Extra Detail: Even without success, identifying version 5.0.51a is important—it’s vulnerable to other, more advanced attacks.

Remediation:

• Apply strict passwords.

• Limit MySQL to localhost or trusted IPs only.

• Patch to a maintained version.

Objective 4 – PostgreSQL Exploit

Exploit Name: PostgreSQL Payload Execution
Vulnerability: Old PostgreSQL versions allow attackers to upload and execute custom code.

Detailed Steps:

• 🔍 Scan: Identify PostgreSQL running (port 5432).

• 🛠 Test Access: Try connecting using known/default credentials.

• 💥 Exploit: Upload a malicious payload (e.g., a .so shared-object file) to execute commands remotely.

Extra Detail: This exploit takes advantage of trusted language extensions that let users run OS-level code.

Remediation:

• Upgrade PostgreSQL.

• Disable trusted extensions or restrict roles.

• Monitor logs for unexpected access.

Objective 4 – SMTP Enumeration

Exploit Name: SMTP User Enumeration
Vulnerability: The SMTP server reveals valid usernames via VRFY/EXPN.

Detailed Steps:

• 🔍 Scan: Find SMTP (port 25).

• 📬 Test: Use Telnet or a tool to send VRFY <user> and watch for valid responses.

• 📜 List: Record all confirmed usernames for later attacks (like password spraying).

Extra Detail: This is an information disclosure risk that can escalate if combined with other vulnerabilities.

Remediation:

• Disable VRFY and EXPN in the SMTP config.

• Apply spam protection measures.

Objective 4 – Rlogin Exploit

Exploit Name: Rlogin Brute-Force
Vulnerability: Rlogin transmits credentials in cleartext and is easily brute-forced.

Detailed Steps:

• 🔍 Scan: Find Rlogin (port 513).

• 🛠 Brute-Force: Attempt logins using common usernames/passwords.

• 🔓 Session: If successful, establish a session and test for privilege escalation.

Extra Detail: Rlogin is rarely seen today—if you find it, it's almost always misconfigured.

Remediation:

• Disable Rlogin permanently.

• Use SSH as a secure alternative.