Linux file permissions are commonly misconfigured. This is a guide on how to leverage this to read files that we were not intented to have access to.

Using ls to Find Files in /etc/

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone can write
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner can write
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group can write

Looking at File Permissions for SUID and SGID

find / -perm -1000 -type d 2>/dev/null # sticky bit - only the owner of a file or directory can delete or rename
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as group that owns it
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as user that owns the file

Finding World Writeable Files and Folders

find / -writable -type d 2>/dev/null # world writable folders
find / -perm -o x -type d 2>/dev/null # world executable folders
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world writable files
find /dir -xdev \( -nouser -o -nogroup \) -print # no-owner files

Credit: These are from g0tmilk’s Basic Linux Privilege Escalation guide.