feat(capabilities): add workaround for low-privileged users when tryi… #506
Conversation
…ng to set the CAP_SETUID capability on the copied binaries
| @@ -58,7 +58,7 @@ sudo: | |||
|
|
|||
| capabilities: | |||
| label: Capabilities | |||
| description: If the binary has the Linux `CAP_SETUID` capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID. | |||
| description: If the binary has the Linux `CAP_SETUID` capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID. The `getcap -r / 2>/dev/null | grep cap_setuid` command will give the locations of the original binaries that have the `CAP_SETUID` capability set already, in case your user is too low-privileged to set the capability on the copied binary. | |||
There was a problem hiding this comment.
Hi,
I was following the exploit given in https://gtfobins.github.io/gtfobins/view/#capabilities, and noticed that when trying to run sudo setcap cap_setuid+ep view, the command failed, as my user didn't have the necessary permissions.
I thought that this might be quite a common occurrence, especially for these privilege escalation vectors, so thought it worth adding the extra bit of information here.
Essentially, if your user is too low privileged to assign the copied binary the CAP_SETUID capability, then you can just navigate to the original binary that has the CAP_SETUID capability, and then run ./view -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")', pointing to the original binary.
What do you think? I'm pretty new to this all, so happy to be wrong/happy for you to ignore and close the PR, if you don't think it's too useful.
…ng to set the CAP_SETUID capability on the copied binaries