Contents

Wildcards Understanding and Using for Hacking

  

Wildcards, I would like to highlight the use of Wildcards, because they are incredibly important, especially for “hacking-related and some programming” stuff. In this article I will cover one interesting old-school Unix hacking technique, that will still work nowadays in 2020.

In real-world attacks, arbitrary shell options and or arguments could be hidden among regular files, and not so easily spotted by the administrator. Same in case of cron jobs, shell scripts or web applications that calls shell commands.


abracadabra

This article has been on the shelf for a while, actually for almost half a year, as you might see from the date on the pictures. The reason for this is because I find it quite difficult to write about this. I sincerely hope that this article is helpful.


 

How can I use the wildcards?

Use your imagination……


 

Have some wildcards fun

Do you know you’re have a secret weapon in your pocket, it’s called “wildcard”.

/???/??t /???/??ss??
With this command, I can read your password file 😃


Joker

 

Some Shell Wildcards

? The question mark matches any single character.
* An asterisk matches any number of characters in a filename, including none.
[ ] Brackets enclose a set of characters, any one of which may match a single character at that position.
- A hyphen used within [ ] denotes a range of characters.
~ A tilde at the beginning of a word expands to the name of your home directory. If you append another user’s login name to the character, it refers to that user’s home directory.


 

Basic example of wildcards usage

List all files with the Python extension

1
ls *.py

Delete all Python files “rm = remove”

(Warning, if you are using this command, do it on a test machine, or make sure you know what you are doing).

1
rm *.py

List all files whose name is beginning with string ‘test’ and has exactly
one additional character

1
ls test?

If you look at these examples above, I don’t think I need to explain to you what options you can use with this as well. Use your imagination.


 

Information on wildcards

There are lots of bash syntaxes that makes you be able to execute system commands just using the forward-slash “/”, the question mark “?”, numbers, and letters. You can even enumerate files and get their content.

Wildcards: For information on wildcards is the follow command

1
man 7 glob

man 7 glob wildcards

Instead of executing the ls command, you can use the following:


/???/?s –help

The question mark wildcard represents only one character which can be any character. This in case you know a part of a filename but not one letter, then you could use this wildcard.

For example ls *.?? would list all files in the directory that have an extension of 2 characters in length.

So files with the extensions like .py would be listed.


Wildcards ls *.???

For example ls *.??? would list all files in the directory that have an extension of 3 characters in length.


Wildcards ls *.???

Thus files having extensions such as .png , .pdf , .txt would be listed.


 

Wildcards /???/??t /???/p??s??

Read your password file

As you can see in the screenshot, there’re 3 errors “/bin/cat *: Is a directory”. This happens because /???/??t can be “translated” to /bin/cat but also /dev/net or /etc/apt , etc…


/???/??t /???/p??s??
1
2
3
4
5
Standard: /bin/cat /etc/passwd

Evasion: /???/??t /???/??ss??

Used chars: / ? t s

Read your password file

Why do I use The “?”
Instead of “*"
Because the asterisk (*) is widely used for comment syntax
(something like / * I’m a comment * /) and WAF blocks it in order to avoid SQL Injection.


 

Enumerate files and directories using echo

 

Install http

1
sudo apt install httpie

httpie Wildcards

In this image I am using Anarchy Linux


The echo command could enumerate files and directories on a file system using a wildcard. For example:

1
http http://website.com/?c=echo+/???/??ss??
1
http http://ip-address/?c=echo+/???/??ss??

 

linux kernel rce vulnerability (Remote Code-Execution)


linux kernel rce vulnerability

linux kernel rce vulnerability

 

Netstat Wildcard

Netstat uses a asterisk * as a wildcard which means “any”. An example would be

Example output:


1
2
....Local Address Foreign Address State
... *:smtp          *:*   LISTEN

Under “Local Address” *, in *:smtp, means the process is listening on all of the networks interfaces the machine has for the port mapped as SMTP (see /etc/services for service resolution). This can also be shown as 0.0.0.0. The first *, in *:*, means connections can come from any IP address, and the second *, in :, means the connection can originate from any port on the remote machine.


 

Chmod file reference trick

A interesting attack is ‘chmod’. Chmod also has –reference option that can be abused to specify arbitrary permissions on files selected with asterisk wildcard.

Chmod manual page (man chmod)


Chmod file reference trick

What is happened? Instead of 000, all files are now set to mode 777 because of the ‘–reference’ option supplied through file name.

Beside just –reference option, attacker can also create another file with ‘-R’ filename, to change file permissions on files in all subdirectories recursively.

In the future I would certainly supplement this article, because there is so much to say and write about this.


 

IMPORTANT THINGS TO REMEMBER

  • This article was written for educational purposes and pentest only.
  • The author can not be held responsible for damages caused by the use of these resources.
  • You will not misuse the information to gain unauthorized access.
  • The information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
  • Just remember, Performing any hacks without written permission is illegal ..!

Read also the Disclaimer

All the techniques provided in the tutorials on the hackingpassion.com, YouTube channel, and on the website hackingpassion.com are meant for educational purposes only.

If you are using any of those techniques for illegal purposes, hackingpassion.com can’t be held responsible for possible lawful consequences.

My goal is to educate people and increase awareness by exposing methods used by real black-hat hackers and show how to secure systems from these hackers.


 

Finally

Since I have quite a lot of work on the articles and videos that I make, I also have quite high server costs, because people just find it necessary to attack a hacking website like this one. (For which I certainly do NOT give permission, and is therefore it is very illegal)

A donation is certainly welcome. So that I can continue with this work. It is a “Passion” of mine to do this and to teach people something new.

If you want to speak to me in person the best thing you can do is send me a email.
Before you do, read the email guide, that will save us both a lot of useless time.

If you have any questions about this article, any feedback, suggestions if you want to share your thoughts, please feel free to do it using the below comment form.


 

 

By Bulls Eye

Jolanda de koff • email donate

My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner, and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ...

I ♥ open-source and Linux