یه note خلاصه و کوتاه روی تاپیک Linux Privilege Escalation
به مرور کامل تر میشه
صرفا جهت رفرنس و هینت برای مطالعه فراتر
# os version
# kernel version
# running services
#installed packages and versions
#logged in users
#user home directories
#check .bash_history
#sudo privileges
#configuration files
#readable shadow file
#password hashes in /etc/passwd
#cron jobs
#unmounted file systems and additional drives
#SETUID and SETGID permissions
#writable directories
#writable files
#LinuxPrivilegeEscalation
به مرور کامل تر میشه
صرفا جهت رفرنس و هینت برای مطالعه فراتر
# os version
# kernel version
# running services
ps aux | grep root
#installed packages and versions
#logged in users
ps au
#user home directories
ls /home
#check .bash_history
#sudo privileges
#configuration files
#readable shadow file
#password hashes in /etc/passwd
#cron jobs
ls -la /etc/cron.daily/
#unmounted file systems and additional drives
lsblk
#SETUID and SETGID permissions
#writable directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null
#writable files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
#LinuxPrivilegeEscalation
0xCyberDev
یه note خلاصه و کوتاه روی تاپیک Linux Privilege Escalation به مرور کامل تر میشه صرفا جهت رفرنس و هینت برای مطالعه فراتر # os version # kernel version # running services ps aux | grep root #installed packages and versions #logged in users ps au #user…
- helper noscripts : LinPEAS, LinEnum
- depending on the system and environment the commands could be slightly different, but as long as you get a solid understanding on what info you want and how you could obtain it you should be OK, in other words the principles are the same.
- basic commands :
- check current user’s PATH : if the PATH variable for a target user is misconfigured we may be able to leverage it to escalate privileges.
- We can also check out all environment variables that are set for our current user, we may get lucky and find something sensitive in there such as a password
-checking kernel version and looking for a kernel exploit that matches that version
-additional info about the cpu
-What login shells exist on the server?
-check for defenses
• Exec Shield
• iptables
• AppArmor
• SELinux
• Fail2ban
• Snort
• Uncomplicated Firewall (ufw)
-look for drives
-find information about printers attached to the system
-Can we find any types of credentials in fstab for mounted drives by grepping for common words such as password, username, credential, etc in /etc/fstab?
-check routing table
-in a domain environment check /etc/resolv.conf
-check arp table
-existing users
-it’s rare but we could find password hashes in the cat /etc/passwd more possible on on embedded devices and routers.
-first hash blocks of the password hash can help us to identify the used hashing algorithm: Salted MD5, SHA-256, SHA-512, BCrypt, Scryp, Argon2
-check all available shells for known vulnerabilities, for example the bash version 4.1 is vulnerable to shellshock exploit
-check for temporary files located in /tmp and /var/tmp
* all files and data stored in /var/tmp are deleted after 30 days and all data stored in /tmp is deleted after 10 days
#LinuxPrivilegeEscalation
- depending on the system and environment the commands could be slightly different, but as long as you get a solid understanding on what info you want and how you could obtain it you should be OK, in other words the principles are the same.
- basic commands :
whoami
id
ifconfig
ip a
sudo -l
cat /etc/os-release
- check current user’s PATH : if the PATH variable for a target user is misconfigured we may be able to leverage it to escalate privileges.
echo $PATH
- We can also check out all environment variables that are set for our current user, we may get lucky and find something sensitive in there such as a password
env
-checking kernel version and looking for a kernel exploit that matches that version
cat /proc/version
uname -a
-additional info about the cpu
lscpu
-What login shells exist on the server?
cat /etc/shells
-check for defenses
• Exec Shield
• iptables
• AppArmor
• SELinux
• Fail2ban
• Snort
• Uncomplicated Firewall (ufw)
-look for drives
lsblk
-find information about printers attached to the system
lpstat
-Can we find any types of credentials in fstab for mounted drives by grepping for common words such as password, username, credential, etc in /etc/fstab?
cat /etc/fstab
-check routing table
route
netstat -rn
-in a domain environment check /etc/resolv.conf
-check arp table
arp -a
-existing users
cat /etc/passwd
-it’s rare but we could find password hashes in the cat /etc/passwd more possible on on embedded devices and routers.
-first hash blocks of the password hash can help us to identify the used hashing algorithm: Salted MD5, SHA-256, SHA-512, BCrypt, Scryp, Argon2
-check all available shells for known vulnerabilities, for example the bash version 4.1 is vulnerable to shellshock exploit
-check for temporary files located in /tmp and /var/tmp
* all files and data stored in /var/tmp are deleted after 30 days and all data stored in /tmp is deleted after 10 days
ls -l /tmp /var/tmp /dev/shm
#LinuxPrivilegeEscalation
linux.die.net
iptables(8) - Linux man page
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each ...
Forwarded from SleepyWhale
اگه از n8n استفاده میکنید مراقب باشید و آپدیت کنید
یه cve جدیدا دراپ شده واسش
https://orca.security/resources/blog/cve-2025-68613-n8n-rce-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2025-68613
یه cve جدیدا دراپ شده واسش
https://orca.security/resources/blog/cve-2025-68613-n8n-rce-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2025-68613
Orca Security
Critical n8n RCE vulnerability enables full server compromise
A critical RCE in n8n (CVE-2025-68613) allows full server compromise via workflow expression injection. Affects versions 0.211.0+. Patch immediately.
0xCyberDev
- helper noscripts : LinPEAS, LinEnum - depending on the system and environment the commands could be slightly different, but as long as you get a solid understanding on what info you want and how you could obtain it you should be OK, in other words the principles…
-services and internals
-check for anything interesting in /etc/hosts
-check the last log ins
-are any other users on the system with us?
-check /proc/procfs for system information such as the state of running processes, kernel parameters, system memory, and devices
-check installed packages
-also check the sudo version
- it can also happen that no direct packages are installed on the system but compiled programs in the form of binaries
-check GTFObins for potential binaries that can be exploited to escalate our privileges
-use strace to track and analyze system calls and signal processing
-check the noscripts
-check running services by specific users
#LinuxPrivilegeEscalation
-check for anything interesting in /etc/hosts
cat /etc/hosts
-check the last log ins
lastlog
-are any other users on the system with us?
who
finger
-check /proc/procfs for system information such as the state of running processes, kernel parameters, system memory, and devices
find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"-check installed packages
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list
-also check the sudo version
sudo -V
- it can also happen that no direct packages are installed on the system but compiled programs in the form of binaries
ls -l /bin /usr/bin/ /usr/sbin/
-check GTFObins for potential binaries that can be exploited to escalate our privileges
for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done
-use strace to track and analyze system calls and signal processing
strace ping -c1 <IP>
-check the noscripts
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
-check running services by specific users
ps aux | grep root
#LinuxPrivilegeEscalation
Path Abuse:
-PATH is an environment variable that specifies the set of directories where an
executable can be located. An account's PATH variable is a set of
absolute paths, allowing a user to type a command without specifying the
absolute path to the binary. For example, a user can type cat /tmp/test.txt instead of specifying the absolute path /bin/cat /tmp/test.txt. We can check the contents of the PATH variable by typing env | grep PATH or echo $PATH.
* Creating a noscript or program in a directory specified in the PATH will make it executable from any directory on the system.
-Adding '.' to a user's PATH adds their current working
directory to the list. For example, if we can modify a user's path, we
could replace a common binary such as ls with a malicious noscript such as a reverse shell. If we add . to the path by issuing the command PATH=.:$PATH and then export PATH,
we will be able to run binaries located in our current working
directory by just typing the name of the file (i.e. just typing ls will call the malicious noscript named ls in the current working directory instead of the binary located at /bin/ls).
-In this example, we modify the path to run a simple echo command when the command ls is typed.
#LinuxPrivilegeEscalation
-PATH is an environment variable that specifies the set of directories where an
executable can be located. An account's PATH variable is a set of
absolute paths, allowing a user to type a command without specifying the
absolute path to the binary. For example, a user can type cat /tmp/test.txt instead of specifying the absolute path /bin/cat /tmp/test.txt. We can check the contents of the PATH variable by typing env | grep PATH or echo $PATH.
* Creating a noscript or program in a directory specified in the PATH will make it executable from any directory on the system.
-Adding '.' to a user's PATH adds their current working
directory to the list. For example, if we can modify a user's path, we
could replace a common binary such as ls with a malicious noscript such as a reverse shell. If we add . to the path by issuing the command PATH=.:$PATH and then export PATH,
we will be able to run binaries located in our current working
directory by just typing the name of the file (i.e. just typing ls will call the malicious noscript named ls in the current working directory instead of the binary located at /bin/ls).
PATH=.:${PATH}
export PATH
echo $PATH-In this example, we modify the path to run a simple echo command when the command ls is typed.
touch ls
echo 'echo "PATH ABUSE!!"' > ls
chmod +x ls
#LinuxPrivilegeEscalation
Wildcard Abuse:
-A wildcard character can be used as a replacement for other characters and are interpreted by the shell before other actions. Examples of wild cards include:
* ⇒ An asterisk that can match any number of characters in a file name.
? ⇒ Matches a single character.
[ ] ⇒ Brackets enclose characters and can match any single one at the defined position.
~ ⇒ A tilde at the beginning expands to the name of the user home
directory or can have another username appended to refer to that user's
home directory.
- ⇒ A hyphen within brackets will denote a range of characters.
-An example of how wildcards can be abused for privilege escalation is the tar command, a common program for creating/extracting archives.
* check the man page for tar and read about: ( --checkpoint[=N] , --checkpoint-action=ACTION )
-The --checkpoint-action option permits an EXEC
action to be executed when a checkpoint is reached (i.e., run an
arbitrary operating system command once the tar command executes.) By creating files with these names, when the wildcard is specified, --checkpoint=1 and --checkpoint-action=exec=sh root.sh is passed to tar as command-line options.
#LinuxPrivilegeEscalation
-A wildcard character can be used as a replacement for other characters and are interpreted by the shell before other actions. Examples of wild cards include:
* ⇒ An asterisk that can match any number of characters in a file name.
? ⇒ Matches a single character.
[ ] ⇒ Brackets enclose characters and can match any single one at the defined position.
~ ⇒ A tilde at the beginning expands to the name of the user home
directory or can have another username appended to refer to that user's
home directory.
- ⇒ A hyphen within brackets will denote a range of characters.
-An example of how wildcards can be abused for privilege escalation is the tar command, a common program for creating/extracting archives.
* check the man page for tar and read about: ( --checkpoint[=N] , --checkpoint-action=ACTION )
-The --checkpoint-action option permits an EXEC
action to be executed when a checkpoint is reached (i.e., run an
arbitrary operating system command once the tar command executes.) By creating files with these names, when the wildcard is specified, --checkpoint=1 and --checkpoint-action=exec=sh root.sh is passed to tar as command-line options.
#LinuxPrivilegeEscalation
0xCyberDev
Wildcard Abuse: -A wildcard character can be used as a replacement for other characters and are interpreted by the shell before other actions. Examples of wild cards include: * ⇒ An asterisk that can match any number of characters in a file name. ? ⇒ Matches…
Escaping Restricted Shells:
-A restricted shell is a type of shell that limits the user's ability to
execute commands. In a restricted shell, the user is only allowed to
execute a specific set of commands or only allowed to execute commands in specific directories. Restricted shells are often used to provide a safe environment for users who may accidentally or intentionally damage the system or provide a way for users to access only certain system features. Some common examples of restricted shells include the rbash shell in Linux and the "Restricted-access Shell" in Windows.
* examples of restricted shells: rbash, rksh, rzsh
-In some cases, it may be possible to escape from a restricted shell by injecting commands into the command line or other inputs the shell accepts. For example, suppose the shell allows users to execute commands by passing them as arguments to a built-in command. In that case, it may be possible to escape from the shell by injecting additional commands into the argument.
-Command injection :
Imagine that we are in a restricted shell that allows us to execute commands by passing them as arguments to the ls command. Unfortunately, the shell only allows us to execute the ls command with a specific set of arguments, such as ls -l or ls -a,
but it does not allow us to execute any other commands. In this situation, we can use command injection to escape from the shell by injecting additional commands into the argument of the ls command.
-For example, we could use the following command to inject a pwd command into the argument of the ls command:
* This command would cause the ls command to be executed with the argument -l, followed by the output of the pwd command. Since the pwd command is not restricted by the shell, this would allow us to execute the pwd command and see the current working directory, even though the shell does not allow us to execute the pwd command directly.
-Command Substitution :
Another method for escaping from a restricted shell is to use command substitution. This involves using the shell's command substitution syntax to execute a command. For example, imagine the shell allows users to execute commands by enclosing them in backticks (`). In that case, it may be possible to escape from the shell by executing a command in a backtick substitution that is not restricted by the shell.
-Command Chaining :
In some cases, it may be possible to escape from a restricted shell by
using command chaining. We would need to use multiple commands in a
single command line, separated by a shell metacharacter, such as a
semicolon (;) or a vertical bar (|), to execute a command. For example, if the shell allows users to execute commands separated by semicolons, it may be possible to escape from the shell by using a semicolon to separate two commands, one of which is not restricted by the shell.
-Environment Variables :
For escaping from a restricted shell to use environment variables involves modifying or creating environment variables that the shell uses to execute commands that are not restricted by the shell. For example, if the shell uses an environment variable to specify the directory in which commands are executed, it may be possible to escape from the shell by modifying the value of the environment variable to specify a different directory.
-Shell Functions :
In some cases, it may be possible to escape from a restricted shell by using shell functions. For this we can define and call shell functions that execute commands not restricted by the shell. Let us say, the shell allows users to define and call shell functions, it may be possible to escape from the shell by defining a shell function that executes a command.
#LinuxPrivilegeEscalation
-A restricted shell is a type of shell that limits the user's ability to
execute commands. In a restricted shell, the user is only allowed to
execute a specific set of commands or only allowed to execute commands in specific directories. Restricted shells are often used to provide a safe environment for users who may accidentally or intentionally damage the system or provide a way for users to access only certain system features. Some common examples of restricted shells include the rbash shell in Linux and the "Restricted-access Shell" in Windows.
* examples of restricted shells: rbash, rksh, rzsh
-In some cases, it may be possible to escape from a restricted shell by injecting commands into the command line or other inputs the shell accepts. For example, suppose the shell allows users to execute commands by passing them as arguments to a built-in command. In that case, it may be possible to escape from the shell by injecting additional commands into the argument.
-Command injection :
Imagine that we are in a restricted shell that allows us to execute commands by passing them as arguments to the ls command. Unfortunately, the shell only allows us to execute the ls command with a specific set of arguments, such as ls -l or ls -a,
but it does not allow us to execute any other commands. In this situation, we can use command injection to escape from the shell by injecting additional commands into the argument of the ls command.
-For example, we could use the following command to inject a pwd command into the argument of the ls command:
ls -l `pwd`
* This command would cause the ls command to be executed with the argument -l, followed by the output of the pwd command. Since the pwd command is not restricted by the shell, this would allow us to execute the pwd command and see the current working directory, even though the shell does not allow us to execute the pwd command directly.
-Command Substitution :
Another method for escaping from a restricted shell is to use command substitution. This involves using the shell's command substitution syntax to execute a command. For example, imagine the shell allows users to execute commands by enclosing them in backticks (`). In that case, it may be possible to escape from the shell by executing a command in a backtick substitution that is not restricted by the shell.
-Command Chaining :
In some cases, it may be possible to escape from a restricted shell by
using command chaining. We would need to use multiple commands in a
single command line, separated by a shell metacharacter, such as a
semicolon (;) or a vertical bar (|), to execute a command. For example, if the shell allows users to execute commands separated by semicolons, it may be possible to escape from the shell by using a semicolon to separate two commands, one of which is not restricted by the shell.
-Environment Variables :
For escaping from a restricted shell to use environment variables involves modifying or creating environment variables that the shell uses to execute commands that are not restricted by the shell. For example, if the shell uses an environment variable to specify the directory in which commands are executed, it may be possible to escape from the shell by modifying the value of the environment variable to specify a different directory.
-Shell Functions :
In some cases, it may be possible to escape from a restricted shell by using shell functions. For this we can define and call shell functions that execute commands not restricted by the shell. Let us say, the shell allows users to define and call shell functions, it may be possible to escape from the shell by defining a shell function that executes a command.
#LinuxPrivilegeEscalation
0xCyberDev
ses, it may be possible to escape from a restricted shell by using shell functions. For this we can d
Special Permissions :
-SUID : The Set User ID upon Execution (setuid) permission can allow a user to execute a program or noscript with the permissions of another user, typically with elevated privileges. The setuid bit appears as an s.
-It may be possible to reverse engineer the program with the SETUID bit set, identify a vulnerability, and exploit this to escalate our privileges. Many programs have additional features that can be leveraged to execute commands and, if the setuid bit is set on them, these can be used for our purpose.
-SGID : The Set-Group-ID (setgid) permission is another special permission that allows us to run binaries as if we were part of the group that created them. These files can be enumerated using the following command:
These files can be leveraged in the same manner as setuid binaries to escalate privileges.
* https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits
#LinuxPrivilegeEscalation
-SUID : The Set User ID upon Execution (setuid) permission can allow a user to execute a program or noscript with the permissions of another user, typically with elevated privileges. The setuid bit appears as an s.
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null-It may be possible to reverse engineer the program with the SETUID bit set, identify a vulnerability, and exploit this to escalate our privileges. Many programs have additional features that can be leveraged to execute commands and, if the setuid bit is set on them, these can be used for our purpose.
-SGID : The Set-Group-ID (setgid) permission is another special permission that allows us to run binaries as if we were part of the group that created them. These files can be enumerated using the following command:
find / -uid 0 -perm -6000 -type f 2>/dev/null
These files can be leveraged in the same manner as setuid binaries to escalate privileges.
* https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits
#LinuxPrivilegeEscalation
0xCyberDev
Escaping Restricted Shells: -A restricted shell is a type of shell that limits the user's ability to execute commands. In a restricted shell, the user is only allowed to execute a specific set of commands or only allowed to execute commands in specific…
Sudo Rights Abuse :
-Sudo privileges can be granted to an account, permitting the account to run certain commands in the context of the root (or another account) without having to change users or grant excessive privileges. When the sudo command is issued, the system will check if the user issuing the command has the appropriate rights, as configured in /etc/sudoers. When landing on a system, we should always check to see if the current user has any sudo privileges by typing sudo -l. Sometimes we will need to know the user's password to list their sudo rights, but any rights entries with the NOPASSWD option can be seen without entering a password.
1. Always specify the absolute path to any binaries listed in the sudoersfile entry. Otherwise, an attacker may be able to leverage PATH abuse to create a malicious binary that will be executed when the command runs (i.e., if the sudoers entry specifies cat instead of /bin/cat this could likely be abused).
2. Grant sudo rights sparingly and based on the principle of least privilege. Does the user need full sudo rights? Can they still perform their job with one or two entries in the sudoersfile? Limiting the privileged command that a user can run will greatly reduce the likelihood of successful privilege escalation.
#LinuxPrivilegeEscalation
-Sudo privileges can be granted to an account, permitting the account to run certain commands in the context of the root (or another account) without having to change users or grant excessive privileges. When the sudo command is issued, the system will check if the user issuing the command has the appropriate rights, as configured in /etc/sudoers. When landing on a system, we should always check to see if the current user has any sudo privileges by typing sudo -l. Sometimes we will need to know the user's password to list their sudo rights, but any rights entries with the NOPASSWD option can be seen without entering a password.
1. Always specify the absolute path to any binaries listed in the sudoersfile entry. Otherwise, an attacker may be able to leverage PATH abuse to create a malicious binary that will be executed when the command runs (i.e., if the sudoers entry specifies cat instead of /bin/cat this could likely be abused).
2. Grant sudo rights sparingly and based on the principle of least privilege. Does the user need full sudo rights? Can they still perform their job with one or two entries in the sudoersfile? Limiting the privileged command that a user can run will greatly reduce the likelihood of successful privilege escalation.
#LinuxPrivilegeEscalation
Forwarded from ⚔️ Ethical Hacking ⚔️ (Sajjad Teymouri)
Bug B.pdf
1.1 MB
✅ دانلود کتاب بسیار قدرتمند Bug Bounty Automation With Python The s*ecrets of bug hun*ting
❗️ زبان : انگلیسی
❗️ تعداد صفحات : 97
مارو به دوستاتون معرفی کنین
❇️ @Sajjad_Teymouri
❗️ زبان : انگلیسی
❗️ تعداد صفحات : 97
مارو به دوستاتون معرفی کنین
❇️ @Sajjad_Teymouri
0xCyberDev
Sudo Rights Abuse : -Sudo privileges can be granted to an account, permitting the account to run certain commands in the context of the root (or another account) without having to change users or grant excessive privileges. When the sudo command is issued…
Privileged Groups :
LXC / LXD : LXD is similar to Docker and is Ubuntu's container manager. Upon
installation, all users are added to the LXD group. Membership of this
group can be used to escalate privileges by creating an LXD container,
making it privileged, and then accessing the host file system at /mnt/root.
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-use-lxd-on-ubuntu-16-04
Docker : Placing a user in the docker group is essentially equivalent to root
level access to the file system without requiring a password. Members of the docker group can spawn new docker containers. One example would be running the command docker run -v /root:/mnt -it ubuntu. This command creates a new Docker instance with the /root directory on the host file system mounted as a volume. Once the container is started
we are able to browse the mounted directory and retrieve or add SSH keys for the root user. This could be done for other directories such as /etc which could be used to retrieve the contents of the /etc/shadow file for offline password cracking or adding a privileged user.
ADM : Members of the adm group are able to read all logs stored in /var/log. This does not directly grant root access, but could be leveraged to gather sensitive data stored in log files or enumerate user actions and running cron jobs.
#LinuxPrivilegeEscalation
LXC / LXD : LXD is similar to Docker and is Ubuntu's container manager. Upon
installation, all users are added to the LXD group. Membership of this
group can be used to escalate privileges by creating an LXD container,
making it privileged, and then accessing the host file system at /mnt/root.
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-use-lxd-on-ubuntu-16-04
Docker : Placing a user in the docker group is essentially equivalent to root
level access to the file system without requiring a password. Members of the docker group can spawn new docker containers. One example would be running the command docker run -v /root:/mnt -it ubuntu. This command creates a new Docker instance with the /root directory on the host file system mounted as a volume. Once the container is started
we are able to browse the mounted directory and retrieve or add SSH keys for the root user. This could be done for other directories such as /etc which could be used to retrieve the contents of the /etc/shadow file for offline password cracking or adding a privileged user.
ADM : Members of the adm group are able to read all logs stored in /var/log. This does not directly grant root access, but could be leveraged to gather sensitive data stored in log files or enumerate user actions and running cron jobs.
#LinuxPrivilegeEscalation
Digitalocean
How to Set Up and Use LXD on Ubuntu 16.04 | DigitalOcean
A Linux container is a grouping of processes that is isolated from the rest of the system through the use of Linux kernel security features, such as namespac…
Capabilities:
-Linux capabilities are a security feature in the Linux operating system that allows specific privileges to be granted to processes, allowing them to perform specific actions that would otherwise be restricted. This allows for more fine-grained control over which processes have access to certain privileges, making it more secure than the traditional Unix model of granting privileges to users and groups.
-Linux capabilities are not invulnerable and can be exploited by attackers. One common vulnerability is using capabilities to grant privileges to processes that are not adequately sandboxed or isolated from other processes, allowing us to escalate their privileges and gain access to sensitive information or perform unauthorized actions.
-Another potential vulnerability is the misuse or overuse of capabilities, which can result in processes having more privileges than they need. This can create unnecessary security risks, as we could exploit these privileges to gain access to sensitive information or perform unauthorized actions.
-Setting capabilities involves using the appropriate tools and commands to assign specific capabilities to executables or programs. In Ubuntu, for example, we can use the setcap command to set capabilities for specific executables. This command allows us to specify the capability we want to set and the value we want to assign.
example: sudo setcap cap_net_bind_service=+ep /usr/bin/vim.basic
-When capabilities are set for a binary, it means that the binary will be able to perform specific actions that it would not be able to perform without the capabilities. For example, if thecap_net_bind_service capability is set for a binary, the binary will be able to bind to network ports, which is a privilege usually restricted.
*Some capabilities, such as cap_sys_admin, which allows an executable to perform actions with administrative privileges, can be dangerous if they are not used properly.
capabilities:
cap_sys_admin ⇒ Allows to perform actions with administrative privileges, such as modifying system files or changing system settings.
cap_sys_chroot ⇒ Allows to change the root directory for the current process, allowing it to access files and directories that would otherwise be
inaccessible.
cap_sys_ptrace ⇒ Allows to attach to and debug other processes, potentially allowing
it to gain access to sensitive information or modify the behavior of other processes.
cap_sys_nice ⇒ Allows to raise or lower the priority of processes, potentially allowing it to gain access to resources that would otherwise be restricted.
cap_sys_time ⇒ Allows to modify the system clock, potentially allowing it to manipulate timestamps or cause other processes to behave in unexpected
ways.
cap_sys_resource ⇒ Allows to modify system resource limits, such as the maximum number
of open file denoscriptors or the maximum amount of memory that can be allocated.
cap_sys_module ⇒ Allows to load and unload kernel modules, potentially allowing it to
modify the operating system's behavior or gain access to sensitive
information.
cap_net_bind_service ⇒ Allows to bind to network ports, potentially allowing it to gain access to sensitive information or perform unauthorized actions.
-When using the setcap command to set capabilities for an
executable in Linux, we need to specify the capability we want to set and the value we want to assign. The values we use will depend on the specific capability we are setting and the privileges we want to grant to the executable.
Capability Values:
= ⇒ This value sets the specified capability for the executable, but
does not grant any privileges. This can be useful if we want to clear a
previously set capability for the executable.
+ep ⇒ This value grants the effective and permitted privileges for the specified capability to the executable. This allows the executable to perform the actions that the capability allows but does not allow it to perform any actions that are not allowed by the capability.
#LinuxPrivilegeEscalation
-Linux capabilities are a security feature in the Linux operating system that allows specific privileges to be granted to processes, allowing them to perform specific actions that would otherwise be restricted. This allows for more fine-grained control over which processes have access to certain privileges, making it more secure than the traditional Unix model of granting privileges to users and groups.
-Linux capabilities are not invulnerable and can be exploited by attackers. One common vulnerability is using capabilities to grant privileges to processes that are not adequately sandboxed or isolated from other processes, allowing us to escalate their privileges and gain access to sensitive information or perform unauthorized actions.
-Another potential vulnerability is the misuse or overuse of capabilities, which can result in processes having more privileges than they need. This can create unnecessary security risks, as we could exploit these privileges to gain access to sensitive information or perform unauthorized actions.
-Setting capabilities involves using the appropriate tools and commands to assign specific capabilities to executables or programs. In Ubuntu, for example, we can use the setcap command to set capabilities for specific executables. This command allows us to specify the capability we want to set and the value we want to assign.
example: sudo setcap cap_net_bind_service=+ep /usr/bin/vim.basic
-When capabilities are set for a binary, it means that the binary will be able to perform specific actions that it would not be able to perform without the capabilities. For example, if thecap_net_bind_service capability is set for a binary, the binary will be able to bind to network ports, which is a privilege usually restricted.
*Some capabilities, such as cap_sys_admin, which allows an executable to perform actions with administrative privileges, can be dangerous if they are not used properly.
capabilities:
cap_sys_admin ⇒ Allows to perform actions with administrative privileges, such as modifying system files or changing system settings.
cap_sys_chroot ⇒ Allows to change the root directory for the current process, allowing it to access files and directories that would otherwise be
inaccessible.
cap_sys_ptrace ⇒ Allows to attach to and debug other processes, potentially allowing
it to gain access to sensitive information or modify the behavior of other processes.
cap_sys_nice ⇒ Allows to raise or lower the priority of processes, potentially allowing it to gain access to resources that would otherwise be restricted.
cap_sys_time ⇒ Allows to modify the system clock, potentially allowing it to manipulate timestamps or cause other processes to behave in unexpected
ways.
cap_sys_resource ⇒ Allows to modify system resource limits, such as the maximum number
of open file denoscriptors or the maximum amount of memory that can be allocated.
cap_sys_module ⇒ Allows to load and unload kernel modules, potentially allowing it to
modify the operating system's behavior or gain access to sensitive
information.
cap_net_bind_service ⇒ Allows to bind to network ports, potentially allowing it to gain access to sensitive information or perform unauthorized actions.
-When using the setcap command to set capabilities for an
executable in Linux, we need to specify the capability we want to set and the value we want to assign. The values we use will depend on the specific capability we are setting and the privileges we want to grant to the executable.
Capability Values:
= ⇒ This value sets the specified capability for the executable, but
does not grant any privileges. This can be useful if we want to clear a
previously set capability for the executable.
+ep ⇒ This value grants the effective and permitted privileges for the specified capability to the executable. This allows the executable to perform the actions that the capability allows but does not allow it to perform any actions that are not allowed by the capability.
#LinuxPrivilegeEscalation
+ei ⇒ This value grants sufficient and inheritable privileges for the
specified capability to the executable. This allows the executable to perform the actions that the capability allows and child processes spawned by the executable to inherit the capability and perform the same actions.
+p ⇒ This value grants the permitted privileges for the specified capability to the executable. This allows the executable to perform the
actions that the capability allows but does not allow it to perform any actions that are not allowed by the capability. This can be useful if we want to grant the capability to the executable but prevent it from
inheriting the capability or allowing child processes to inherit it.
-Several Linux capabilities can be used to escalate a user's privileges to root, including:
cap_setuid ⇒ Allows a process to set its effective user ID, which can be used to gain the privileges of another user, including the root user.
cap_setgid ⇒ Allows to set its effective group ID, which can be used to gain the privileges of another group, including the root group.
cap_sys_admin ⇒ This capability provides a broad range of administrative privileges,
including the ability to perform many actions reserved for the root user, such as modifying system settings and mounting and unmounting file systems.
cap_dac_override ⇒ Allows bypassing of file read, write, and execute permission checks.
Enumerating Capabilities:
#LinuxPrivilegeEscalation
specified capability to the executable. This allows the executable to perform the actions that the capability allows and child processes spawned by the executable to inherit the capability and perform the same actions.
+p ⇒ This value grants the permitted privileges for the specified capability to the executable. This allows the executable to perform the
actions that the capability allows but does not allow it to perform any actions that are not allowed by the capability. This can be useful if we want to grant the capability to the executable but prevent it from
inheriting the capability or allowing child processes to inherit it.
-Several Linux capabilities can be used to escalate a user's privileges to root, including:
cap_setuid ⇒ Allows a process to set its effective user ID, which can be used to gain the privileges of another user, including the root user.
cap_setgid ⇒ Allows to set its effective group ID, which can be used to gain the privileges of another group, including the root group.
cap_sys_admin ⇒ This capability provides a broad range of administrative privileges,
including the ability to perform many actions reserved for the root user, such as modifying system settings and mounting and unmounting file systems.
cap_dac_override ⇒ Allows bypassing of file read, write, and execute permission checks.
Enumerating Capabilities:
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;#LinuxPrivilegeEscalation