Safe Penetration Testing Labs · intermediate · ~15 min

Write a USTAR tar header for an evidence bundle

Render a USTAR tar header for a single file, ready to prepend to its bytes.

Overview

Zero the 512 bytes, fill name + size (octal) + magic + version + typeflag, set checksum field to spaces, sum all bytes, write the checksum as 6 octal digits + NUL + space.

Why it matters

Evidence bundles are how engagement findings travel between systems. Knowing the format means you can audit any archive you receive.

Lesson

Why this matters

Engagement deliverables are bundles: logs, screenshots, the report, the JSON of findings — packed into a .tar. The USTAR format is small, ancient, and unambiguous: a 512-byte header per file, then the file bytes padded to 512.

We write the header. The payload is whatever was passed in.

The header layout (USTAR)

offset  size  field
0       100   name           (NUL-padded ASCII)
100     8     mode           (octal ASCII + NUL)
108     8     uid            (octal ASCII + NUL)
116     8     gid            (octal ASCII + NUL)
124     12    size           (octal ASCII + NUL)
136     12    mtime          (octal ASCII + NUL)
148     8     checksum       (6 octal digits + NUL + space)
156     1     typeflag       ('0' for regular file)
157     100   linkname       (NUL)
257     6     magic          ("ustar\0")
263     2     version        ("00")
...     ...   (rest zero)

Checksum: sum of every byte in the 512-byte header with the checksum field treated as 8 spaces.

Your job

Implement int write_ustar_header(const char *name, size_t size, uint8_t out[512]). Fill the 512-byte buffer with the header. Return 0 on success or -1 on:

  • NULL name or NULL out
  • strlen(name) >= 100
  • size doesn't fit in 11 octal digits (which is the size field's capacity minus the NUL).

Common mistakes

  • Forgetting that the checksum field is spaces during computation, not the actual checksum bytes.
  • Writing size in decimal. It's octal.
  • Forgetting the NUL after the checksum's 6 octal digits.

What this is NOT

  • A multi-file tarball builder. One header at a time.
  • A pax / gnu extended header. USTAR base only.

Summary

512-byte buffer, octal numbers, spaces-then-sum-then-overwrite checksum.

Practice with these exercises