In this post, i would like to share a method that i have learned while playing with Bagel Machine. The vulnerability attack that i mentioned here is by using dotnet FSI.


The full writeup on the Bagel Machine can be found here

Dotnet FSI attack.


For those who are not familiar with the vulnerability, it’s a console that is used with the F# code which we can execute the F# scripts. The user can run the script or binary, we can use the command “dotnet fsi” on the F# interactive console.


Anyone that wants to know more about this command, we can read further here

How to execute the attack?


We managed to see a simple F# script to obtain the shell on the machine such as follows:

System.Diagnostics.Process.Start("id").WaitForExit();

The script can be executed within the command as below:

Escalate to Root Privileges Access


Previously, we noticed that there are other users and let’s change to that user(developer)

Graphical user interface, text, application

Description automatically generated

As usual, let’s enumerate by typing “sudo -l” command and notice that we can dotnet with root access


Therefore, let’s execute the dotnet with fsi which looks like as shown above


As a result, we can execute the command above


At last, we have a root shell on our machine


We can read the root flag by typing the “cat root.txt” command