Wildcards - Chown
Learnt on tryhackme's skynet
Last updated
Learnt on tryhackme's skynet
Last updated
Consider a directory where there are two files. One is owned by benign (innocent) user: kali and the other is owned by user:root. Clearly the file owned by root has some important information.
A malignant user: newuser wants to read the file with important infor but can't as it doesn't as it doesn't have the rights to. However, he found a crontab job that will change all text file's permissions inside the /home/kali/wildcard directory to root after every 5 minutes.
So, now if newuser wants to read important file, he can exploit this using wildcards.
CHOWN: Command in Linux used to change ownership of a file. For example the following code changes owndership of somefile.txt in newuser's directory to user: kali instead of the existing user.
sudo chown -R kali:kali /home/newuser/somefile.txt
Similarly, if I want to change ownership of somefile.txt based on existing file, I owuld use --reference flag like so:
sudo chown -R /home/newuser/somefile.txt --reference=/home/kali/.bash_history
Now, coming back to our example, newuser wants to take control of file_with_imp_info.txt, he can use --reference option too, like so:
Let's check if newuser is able to read the important file right now.
After waiting for 5 minutes, magic happened
WHY? => Because when the crontab command (chown -R kali:kali /home/wildcard/*.txt) ran, newuser had changed one of the text files' name to a wildcard --reference=my.txt.
Thus, the command in the background became:
chown -R kali:kali /home/wildcard/existingfile.txt /home/kali/wildcard/file_with_imp_info.txt /home/kali/wildcard/my.txt /home/kali/wildcard/ --reference=my.txt
This command forced all the text files to take ownership from the reference file my.txt and since my.txt was owned by newuser, all the other files got owned by newuser when the cronjob ran!
IMPORTANT => --reference option overrides specified user:group value in the command!!
REMEDIATION=> Do not use wildcards in cronjobs instead use absolute references only and keep it readable/writable by root only
