> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/linux-penetration-testing/privilege-escalation/writable-.service-files.md).

# Writable .service files

Check if you can write any `.service` file, if you can, you **could modify it** so it **executes** your **backdoor when** the service is **started**, **restarted** or **stopped** (maybe you will need to wait until the machine is rebooted). For example create your backdoor inside the .service file with **`ExecStart=/tmp/script.sh`**

{% hint style="info" %}
The path /etc/system stores services
{% endhint %}

Find writeable service

```bash
#Find Services
nagios@monitored:/etc/systemd$ find /etc/systemd -name "*.service" 2>/dev/null 
<SNIF>
/etc/systemd/system/multi-user.target.wants/nagios.service
<SNIF>
```

This service is vulnerable by my user nagios and to exploit it, you have to replace it with payload and restart the service

```bash
nagios@monitored:/etc/systemd$ find /etc/systemd/ -name "nagios.service" | xargs cat | grep -E "ExecStart=.*?" | cut -d '=' -f2 | cut -d ' ' -f1 | xargs ls -la
-rwxrwxr-- 1 nagios nagios 717648 Nov  9  2023 /usr/local/nagios/bin/nagios
```

**Machice example**: [**Monitored**](https://www.notion.so/Monitored-1543519b5b5c80a9be7fce54b38b7f93?pvs=21)
