SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Capabilities - Linux Privilege Escalation

Nguyen Nguyen included in Penetration Testing
   448 words   3 minutes 

Note: If you need to zoom in, you can click on the image.

What is Capabilities?

Capabilities allow you to provide specialized and focused permission to binary (commands) without the need of giving root (administrator) privilege. You can think of capabilities is like going to a specialized doctor for a specific care. For example: going to a dermatologist for skin related issue.

Similarly, capabilities can be thought of as specialized features or permission that are assigned to the process for the task.

Exploiting Capabilities

To exploit capabilities, we need to find binary that are using capabilities - more specifically cap_setuid+ep.

What is cap_setuid+ep? The program can change its identity to become someone else, just like putting on a different mask. It can take on the appearance of another user, even a powerful one like the administrator.

The command we are going to use to find capabilities is: getcap -r / 2>/dev/null.

After that we are going to reference GTFOBins and focus on Capabilities. Then find an binary that we can use that have capabilities (cap_setuid+ep) to escalate our privilege. One easy way we can narrow our search is using this command: getcap -r / 2>/dev/null | grep "cap_setuid+ep"

Once we found our binary that we are going to use, we can look at the POC (Proof of Concept) which is the last line and paste that last line to the command prompt. But, make sure to understand what it need to make it work.

Demonstration:

I will be using the TryHackMe Linux Privilege Escalation room to show how exploiting Capabilities work. Here is the link to the room: https://tryhackme.com/room/linprivesc

Let’s begin. Background information, we are logged in as Karen. Our goal is to go from user permission to root privilege. First, I will check if there is any capabilities that has cap_setuid. To make my search easier, this is the command I run: getcap -r / 2>/dev/null | grep "cap_setuid+ep". This is the result:


It seem that view and vim has capabilities enable. However, the user I am logged into is karen so vim is the only choice for me. The next step is going to [GTFOBins](https://gtfobins.github.io/) and filtering on "Capabilities". It seem that there is a way to escalate your privilege using vim.
Reference: https://gtfobins.github.io/gtfobins/vim/#capabilities

To execute on this vulnerability, we are going paste this code into the command line. Additionally, since this user is running python3 we have to “3” to py.

This is the command:
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")
As you can see from the picture below, root privilege was given and I was able to read the shadow file.


That is all, thanks for reading :)
Updated on 2023-06-26
 Red TeamLinux
Back | Home