Privilege escalation using tar

In the of the box, the last leg of the challenge involves manipulating the tar executable. However, before I found out the actual method to complete, I came acros a blogpost which mentions how --checkpoint-action flag can be used to execute a code.

But I couldn’t get this to work and had to resort to a lesser elegant way of prepending a 'bash’ed version of tar to the PATh variable.

Has anyone else tried this? Box is Pandora

Hint: you don’t need to modify tar directly. You just need to have an executable named tar in your path… What that executable contains is up to you.

I understand what we’re supposed to do to own the box. It’s just that I am confused why the article’s way doesn’t work. Afaik, it’s not related to a version.

the attack in provided post does not apply to current box.
it need to inject --checkpoint-action=exec=SCRIPT --checkpoint=1 to the command line, but it is not possible for given wildcard format.

you can follow the instruction and echo the command to check what is indeed executed.

1 Like