Privilege escalation using tar

notKakarotButVegeta · April 5, 2022, 4:01am

In the of the box, the last leg of the challenge involves manipulating the tar executable. However, before I found out the actual method to complete, I came acros a blogpost which mentions how --checkpoint-action flag can be used to execute a code.

https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/

But I couldn’t get this to work and had to resort to a lesser elegant way of prepending a 'bash’ed version of tar to the PATh variable.

Has anyone else tried this? Box is Pandora

slak · April 7, 2022, 9:24am

Hint: you don’t need to modify tar directly. You just need to have an executable named tar in your path… What that executable contains is up to you.

notKakarotButVegeta · April 7, 2022, 4:34pm

I understand what we’re supposed to do to own the box. It’s just that I am confused why the article’s way doesn’t work. Afaik, it’s not related to a version.

tec · April 8, 2022, 2:03am

the attack in provided post does not apply to current box.
it need to inject --checkpoint-action=exec=SCRIPT --checkpoint=1 to the command line, but it is not possible for given wildcard format.

you can follow the instruction and echo the command to check what is indeed executed.