tar

Tar command with useful usage flags with their exlanation and use cases.

This guide will walk you through different flags, options of tar commands, where you might need them in active engagement.

Basic Commands

1. Creates a new archive

   tar -cvf backup.tar /var/www
   

   • c → create
   • v → verbose
   • f → filename

   What it does?
   Recursively archives files/directories.

   🔴 Pentesting Use Cases:
   📦 Exfiltrating data cleanly:

    tar -czf loot.tar.gz /etc /var/www
   

   📦 Packing reverse shell toolkit before upload
   📦 Bundling post-exploitation findings.

   💡 On compromised systems, tar is almost always installed — reliable for staging data.

---

1. Extract an archive

   tar -xvf backup.tar
   

   • x → extract
   • v → verbose
   • f → filename

   What it does?
   Extract archive contents.

   🔴Pentesting Use Cases:
   📦 Deploying uploaded tools
   📦 Unpacking privesc scripts
   📦 Extracting backups found on system

---

1. List Archive Content

   tar -tvf backup.tar
   

   • t → view
   • v → verbose
   • f → filename

   What it does?
   List contents.

   🔴 Pentesting Use Cases:
   📦 Before extracting unknown archive:

    tar -tf suspicious.tar
   

   📦 Prevents accidental file overwrite
   📦 Detects malicious archive entries like:

    ../../etc/passwd
   

   ---

2. Append Files

    tar -rf backup.tar newfile.txt
   

   What it does?
   Add files to end of archive.

   ⚠️ Cannot be used on compressed archives.

   🔴 Pentesting Use Cases:
   📦 Add new loot incrementally without rebuilding archive. ***

3. Update (Append only if newer)

   tar -uvf backup.tar file.txt
   

   What it does?
   Adds file only if newer than archived version.
   It DOES NOT replace old copy — it appends a new version.
   Archive may contain multiple versions.

   ⚠️ Cannot be used on compressed archives.

   🔴 Pentesting Use Cases:
   📦 Incremental backups during long engagement
   📦 Preserving timeline of file changes

Step 2: Create a System User for the Binary

1. Create a system user with no login access:

   sudo useradd -s /usr/sbin/nologin -r -M cloudflared
   

   • What is a system user? A system user is a user account created for running system processes or services, rather than for interactive login by human users.
   • What is nologin access? Using nologin for the shell means the user cannot log in interactively, which enhances security by preventing potential misuse of the account.
   • Explanation of -s, -r, and -M:
     • -s /usr/sbin/nologin: Sets the user’s shell to nologin, preventing interactive logins.
     • -r: Creates a system account, typically with a UID lower than 1000.
     • -M: Prevents the creation of a home directory for the user.

Step 3: Configure the Binary

1. Create and edit the configuration file:

   sudo nano /etc/default/cloudflared
   

   Example configuration:

   # Commandline args for cloudflared, using Cloudflare DNS
   CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
   

   • What is /etc/default directory for? The /etc/default directory is used to store configuration files for various system services. These files typically define environment variables and command-line options.
2. Set the appropriate permissions for the configuration file and the binary:

   sudo chown cloudflared:cloudflared /etc/default/cloudflared
   sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
   

   • Why set owner and group to cloudflared? Changing the ownership ensures that only the cloudflared user has the necessary permissions to read and execute the binary, enhancing security.

Step 4: Create a Systemd Service

1. Create and edit the systemd service file:
   • What is /etc/systemd/system/ directory for? This directory is used to store service unit files that define systemd services. These files control how services are started, stopped, and managed on the system.

   sudo nano /etc/systemd/system/cloudflared.service
   

   Service file configuration:

   [Unit]
   Description=cloudflared DNS over HTTPS proxy
   After=syslog.target network-online.target
   
   [Service]
   Type=simple
   User=cloudflared
   EnvironmentFile=/etc/default/cloudflared
   ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
   Restart=on-failure
   RestartSec=10
   KillMode=process
   
   [Install]
   WantedBy=multi-user.target
   

   Explanation of the directives:

   • [Unit]
     • Description: Describes the service.
     • After: Specifies the service dependencies. The service will start after the listed targets.
   • [Service]
     • Type: Defines the service type. simple means the service will be considered started right after the ExecStart command is executed.
     • User: The user under which the service will run.
     • EnvironmentFile: Specifies the file containing environment variables.
     • ExecStart: The command to start the service.
     • Restart: Defines the restart policy. on-failure restarts the service if it fails.
     • RestartSec: The time to wait before restarting the service.
     • KillMode: How the service’s processes are killed.
   • [Install]
     • WantedBy: Specifies the target under which the service should be started. multi-user.target means the service will start in multi-user mode (default for most servers).

Step 5: Enable and Start the Service

1. Enable the service to start on boot:

   sudo systemctl enable cloudflared
   

2. Start the service:

   sudo systemctl start cloudflared
   

3. Check the status of the service:

   sudo systemctl status cloudflared
   

Additional Information

• What is multi-user.target? multi-user.target is a systemd target that signifies the system is in multi-user mode. It’s similar to the traditional runlevel 3, where multiple users can log in.

This guide provides a comprehensive example of how to install a binary, create a system user, configure the binary, and set up a systemd service to manage the binary. Adjust the specific paths, user names, and configuration options as needed for your particular use case.