In this post, i would like to share a method that i have learned while playing with Bagel Machine. The vulnerability attack that i mentioned here is by using dotnet FSI.

The full writeup on the Bagel Machine can be found here

Dotnet FSI attack.

For those who are not familiar with the vulnerability, it’s a console that is used with the F# code which we can execute the F# scripts. The user can run the script or binary, we can use the command “dotnet fsi” on the F# interactive console.

Anyone that wants to know more about this command, we can read further here

How to execute the attack?

We managed to see a simple F# script to obtain the shell on the machine such as follows:

System.Diagnostics.Process.Start("id").WaitForExit();

The script can be executed within the command as below:

Escalate to Root Privileges Access

Previously, we noticed that there are other users and let’s change to that user(developer)

As usual, let’s enumerate by typing “sudo -l” command and notice that we can dotnet with root access

Therefore, let’s execute the dotnet with fsi which looks like as shown above

As a result, we can execute the command above

At last, we have a root shell on our machine

We can read the root flag by typing the “cat root.txt” command