Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Command injection is when you can insert arbitrary shell characters into a system call to modify it. This is a well-known and explored attack vector; people will commonly try to protect against this by escaping the meta-characters, such as [;`"'|&${}]. Instead of a straight command injection, it is about moving around the protections created. But, is there anything missing here?

The valid character (and normally used) - is missing from this set of characters. This character is used for flags in many commands. Although the meta-characters themselves are escaped, can we add flags to the command? Yes!

In this situation, the author has the ability to set flags for tar, a compression tool on the Unix. RTFM.

There are several options, in tar, that give us code execution, including --to-command command_script, --checkpoint=1 --checkpoint-action=exec=<command> and -T <file>. Recall, the equals sign is not usable, which leaves us with a fewer selection of options.

All of the options that could execute code require a file path to know where to execute at. So, can we control a file path? Using a prior tar command (multiple in one set), the -P option can be used to write to the files absolute location instead of relative location.

The exploit flow can be completed. We use one tar command to put a file into a known file in /tmp by using the -P. Then, we use one of the file include flags to include a file to execute during the scripting of tar. At the end of the day, this required an additional step to get the code to execute, but it is essentially the same.

Long live command injection! Although this is slightly different, it is a good case of understanding what you have and using that to the fullest.