Linux Privilege Escalation – Exploiting Capabilities
Capabilities in Linux are special attributes that can be allocated to processes, binaries, services and users and they can allow them specific privileges that are normally reserved for root-level actions, such as being able to intercept network traffic or mount/unmount file systems. If misconfigured, these could allow an attacker to elevate their privileges to root.
Additionally, systemd offers directives for configuring capabilities on service units, through the “AmbientCapabilities” variable:
Once the capabilities have been assigned, a great resource to find out if they can be vulnerable (if assigned to variables) is through GTFOBins, as for each applicable binary it has a handy “Capabilities” section which shows how certain capabilities can be exploited to elevate privileges. This HackTricks page is also great. Alternatively, googling for the capability and the object it is assigned to normally does the trick.
Based on the output from the commands used above, the /usr/bin/python3.8 binary has the cap_setuid capabilities assigned, which allows to set the effective user ID of a process when running its binary i.e. executing binaries as root.
