gobuster dir -u http://10.10.10.88/webservices -w /usr/share/dirb/wordlists/common.txt
It reveals:
/webservices/wp/
Which is a WordPress installation.
⚙️ WordPress Enumeration
We use WPScan to enumerate plugins:
We identify the vulnerable plugin: Gwolle Guestbook.
The Above was what I, was supposed to do. but even after running WPScan i did not get the plugin (i had to look at a walkthrough to get this part)
🪨 Exploitation - Gaining Shell (RFI)
🔄 Crafting the Payload
We use the standard PHP reverse shell:
Start a web server:
Then trigger the RFI:
Catch the shell:
We land as www-data.
Escalating to Onuma
Run sudo -l as www-data reveals:
Use GTFOBins’ tar exploit:
Get TTY:
Now we’re onuma.
⬆️ Root Privilege Escalation
PS, this section took me almost 2 days. I tried giving it my all, coming after work to solve it, but I couldn't get through. Finally, today (on Sunday morning), after I dedicatedly sat and tried to understand it, I was able to solve it
We discover a suspicious systemd timer (via LinPEAS):
It points to /usr/sbin/backuperer, a custom backup script running as root every few minutes.
📂 Vulnerability in backuperer
The script:
Archives /var/www/html to a random file in /var/tmp/
Waits 30 seconds
Extracts the archive to /var/tmp/check
If the integrity check fails, it doesn't delete the extracted files
All of this runs as root
🚩 Exploit Plan
We compile a setuid root binary:
I built this on a Docker container running Ubuntu 16.04 (same as the TartarSauce box).
Compile the SUID binary:
Structure the payload:
Deliver to the target:
Overwrite the temp file created by backuperer:(happens every 5 min)
Wait ~30s. The backup script will extract exp.tar.gz to /var/tmp/check/var/www/html.
Then:
Make sure to use sh not bash to retain SUID privileges.
Boom. Root shell.
🔒 Defensive Learnings
Code hygiene matters: The script didn’t clean up the check directory on integrity failure.
Use effective privilege separation: Line 36 should’ve checked as onuma, not as root.
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added. [0/1989]
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi
