Capabilities

LogoLinux Privilege Escalation using Capabilities - Hacking ArticlesHacking Articles
SUID vs Capabilities

This is similar to SUID. Processes can be privileged running as 0 or non-privileged running as anything other than 0. Processes running as 0 can pass checks while others can't. Capabilities are more secure than SUID but can still be vulnerable

Hunting capabilities

getcap -r / 2>/dev/null

cap_setuid+ep means capability, set to SUID to permissions everything

All we have to do is run the binary and make it do something that will turn us into root

Python example

/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Other useful tools are tar (read files) perl (reverse shell)

Tar example

cap_dac_read_search allows to to "Bypass file read permission checks and directory read and execute permission checks"

LogoGitBook
LogoAn Interesting Privilege Escalation vector (getcap/setcap) - NXNJZNXNJZ
PreviousVulnversityNextCron jobs

Last updated