Writable .service files

Check if you can write any .service file, if you can, you could modify it so it executes your backdoor when the service is started, restarted or stopped (maybe you will need to wait until the machine is rebooted). For example create your backdoor inside the .service file with ExecStart=/tmp/script.sh

The path /etc/system stores services

Find writeable service

#Find Services
nagios@monitored:/etc/systemd$ find /etc/systemd -name "*.service" 2>/dev/null 
<SNIF>
/etc/systemd/system/multi-user.target.wants/nagios.service
<SNIF>

This service is vulnerable by my user nagios and to exploit it, you have to replace it with payload and restart the service

nagios@monitored:/etc/systemd$ find /etc/systemd/ -name "nagios.service" | xargs cat | grep -E "ExecStart=.*?" | cut -d '=' -f2 | cut -d ' ' -f1 | xargs ls -la
-rwxrwxr-- 1 nagios nagios 717648 Nov  9  2023 /usr/local/nagios/bin/nagios

Machice example: Monitored