Privilege escalation from user wacky to root on the WingData machine (10.129.190.143).
Success! The root flag has been retrieved.
wacky)wacky:!#7Blushing^*Bride5.6e3e271dc8fae5af3a7adfc25cdb2dc9 (found in /home/wacky/user.txt).root)sudo -l revealed that wacky could run /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py * as root without a password.tarfile module to extract archives provided by the user.filter='data' (Python 3.12+), which is intended to prevent standard path traversal attacks (e.g., ../).../../etc/passwd), library hijacking (PYTHONPATH), and argument injection were blocked by the filter or environment restrictions.tarfile's path resolution (specifically involving deep directory structures and symlinks) allows bypassing the data filter in certain Python versions (including 3.12.3). By crafting a tar archive with interleaved symlinks and directories, an attacker can trick the filter into resolving a path as safe while it actually points outside the extraction directory.Generated an SSH key pair (root_key) in /tmp.
Created a Python script on the target to generate a malicious tar archive (backup_9999.tar) in /opt/backup_clients/backups/.
The archive contained a specific structure: deeply nested directories and symlinks leading to an escape symlink that pointed to /root/.ssh/authorized_keys.
Executed the vulnerable script via sudo:
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_9999.tar -r restore_poc
The exploit successfully wrote the generated public key to /root/.ssh/authorized_keys.
localhost as root using the generated private key.c3fe8a8e84a183701925521af50fbb4c./tmp/root_key (Private SSH Key)/tmp/root_key.pub (Public SSH Key)/tmp/pwn_tar.py (Exploit Generator Script)/opt/backup_clients/backups/backup_9999.tar (Malicious Archive)/opt/backup_clients/restored_backups/restore_poc (Extraction Directory)