// notes/ PrivEsc — Linux
🐧

Capabilities

{% embed url="<https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/" %}

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/capabilities

Capabilities

{% embed url="https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/" %}

{% embed url="https://mn3m.info/posts/suid-vs-capabilities/" %}

This is similar to SUID. Processes can be privileged running as 0 or non-privileged running as anything other than 0. Processes running as 0 can pass checks while others can't. Capabilities are more secure than SUID but can still be vulnerable

Hunting capabilities

code
01getcap -r / 2>/dev/null

{% hint style="info" %} cap_setuid+ep means capability, set to SUID to permissions everything {% endhint %}

All we have to do is run the binary and make it do something that will turn us into root

Python example

bash
$/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

{% hint style="info" %} Other useful tools are tar (read files) perl (reverse shell) {% endhint %}

Tar example

{% hint style="info" %} cap_dac_read_search allows to to "Bypass file read permission checks and directory read and execute permission checks" {% endhint %}

{% embed url="https://app.gitbook.com/o/4cuxnrxcO9zV8MithZcs/s/SBzxWZ0EMDOdQIjKvSn2/warm-up/empire-breakout/priv-esc" %}

{% embed url="https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/?source=post_page-----0e678eb67276--------------------------------" %}