> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/capabilities/privilege-escalation-linux-filesystem-search.md).

# Filesystem Search

## Discover Writable Executable Scripts Via Find

Identify files that are executable (`x`) and writable (`w`) by `all` users or specific groups using the `find` command with the `-perm /a=r+w+x` flag. This flag checks if the read, write, *and* execute bits are set for *any* permission set (owner, group, or others). Combine this with `-type f` and optionally filter by group (`-group <group_name>`).

```bash
find / -type f -perm /a=r+w+x -group users 2>/dev/null
```

The example command specifically looks for files anywhere (`/`) that are regular files (`-type f`), have read, write, and execute permissions set for *any* user category (`-perm /a=r+w+x`), and belong to the `users` group (`-group users`). This helps uncover scripts or binaries that a low-privileged user in that group could modify and potentially use for privilege escalation if the file is executed by a higher-privileged process or user.

Beyond this specific check, the `find` command with the `-perm` flag is a versatile tool for identifying files with potentially insecure permissions that could be leveraged for privilege escalation. Common uses include finding files with the SUID or SGID bits set, or files that are writable by users other than the owner.

Examples of using `find -perm` to identify such files include:

```bash
find / -perm -4000 -print 2>/dev/null # SUID
find / -perm -2000 -print 2>/dev/null # SGID
find / -perm -0002 -print 2>/dev/null # World Writable
find / -perm -0020 -print 2>/dev/null # Group Writable
```

These commands search the entire filesystem (`/`) for files (`-type f` is often added for precision, though omitted in the snippets above for brevity) with specific permission bits set for all user categories (`-perm -mode`). The `-4000` mode identifies SUID files, `-2000` identifies SGID files, `-0002` identifies files writable by "others" (world-writable), and `-0020` identifies files writable by the group. Redirecting standard error to `/dev/null` (`2>/dev/null`) suppresses permission denied errors during the scan. Discovering such files is a critical step in many Linux privilege escalation methodologies.
