In this post, i would like to share a method that i have learned while playing with Bagel Machine. The vulnerability attack that i mentioned here is by using dotnet FSI.
The full writeup on the Bagel Machine can be found here
Dotnet FSI attack.
For those who are not familiar with the vulnerability, it’s a console that is used with the F# code which we can execute the F# scripts. The user can run the script or binary, we can use the command “dotnet fsi” on the F# interactive console.
Anyone that wants to know more about this command, we can read further here
How to execute the attack?
We managed to see a simple F# script to obtain the shell on the machine such as follows:
The script can be executed within the command as below:
Escalate to Root Privileges Access
Previously, we noticed that there are other users and let’s change to that user(developer)
As usual, let’s enumerate by typing “sudo -l” command and notice that we can dotnet with root access
Therefore, let’s execute the dotnet with fsi which looks like as shown above
As a result, we can execute the command above
At last, we have a root shell on our machine
We can read the root flag by typing the “cat root.txt” command