# Capabilities

Capabilities split the traditionally all-or-nothing root privileges into distinct units that can be independently enabled or disabled for processes.

**Common Capabilities**

Here are some common capabilities available in Linux:

| Capability             | Description                                                                    |
| ---------------------- | ------------------------------------------------------------------------------ |
| `CAP_CHOWN`            | Change file ownership.                                                         |
| `CAP_DAC_OVERRIDE`     | Bypass file read, write, and execute permission checks.                        |
| `CAP_DAC_READ_SEARCH`  | Bypass file read permission checks.                                            |
| `CAP_FOWNER`           | Bypass permission checks on operations that normally require the file's owner. |
| `CAP_NET_ADMIN`        | Perform various network-related operations, such as configuring interfaces.    |
| `CAP_NET_BIND_SERVICE` | Bind to network ports below 1024.                                              |
| `CAP_SYS_ADMIN`        | Perform a wide range of administrative tasks.                                  |
| `CAP_SYS_MODULE`       | Load and unload kernel modules.                                                |
| `CAP_SYS_RAWIO`        | Perform raw I/O operations.                                                    |
| `CAP_SYS_TIME`         | Modify the system clock.                                                       |

#### Linux Capabilities: Viewing and Checking

**Viewing Capabilities**

You can view the capabilities of a binary using the `getcap` command. For example:

```bash
getcap /path/to/binary
```

**Setting Capabilities**

To set capabilities on a binary, use the `setcap` command. For example, to give a binary the capability to bind to low-numbered ports:

```bash
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/somebinary
```

**Removing Capabilities**

To remove capabilities, use the `setcap` command with a minus sign:

```bash
sudo setcap 'cap_net_bind_service=-ep' /usr/bin/somebinary
```

**Checking Effective Capabilities**

You can check the effective capabilities of a running process using the `capsh` command:

```bash
capsh --print
```

#### Linux Capabilities for Privilege Escalation

Here’s a list of Linux capabilities that can be leveraged for privilege escalation (priv esc) if not used correctly. Misconfigurations or overly permissive settings can lead to security vulnerabilities:

1. **CAP\_CHOWN**
   * Allows changing file ownership. If a binary with this capability is compromised, an attacker can take ownership of sensitive files.
2. **CAP\_DAC\_OVERRIDE**
   * Bypasses file read, write, and execute permission checks. This capability allows access to files that are normally restricted, potentially exposing sensitive data.
3. **CAP\_DAC\_READ\_SEARCH**
   * Bypasses file read permission checks. This can be exploited to read files that should otherwise be inaccessible.
4. **CAP\_FOWNER**
   * Bypasses permission checks on operations that normally require the file's owner. An attacker can manipulate files without being the owner, leading to unauthorized access.
5. **CAP\_NET\_ADMIN**
   * Grants the ability to perform network-related operations, such as modifying network interfaces and routing tables. Misuse can lead to network manipulation and privilege escalation.
6. **CAP\_NET\_BIND\_SERVICE**
   * Allows binding to network ports below 1024. If a service running with this capability is vulnerable, it can allow an attacker to hijack the service.
7. **CAP\_SYS\_ADMIN**
   * This broad capability allows performing a variety of administrative tasks. Improper use can lead to severe privilege escalation, as it provides control over many system functions.
8. **CAP\_SYS\_MODULE**
   * Permits loading and unloading kernel modules. Exploiting this capability can allow attackers to load malicious modules into the kernel.
9. **CAP\_SYS\_RAWIO**
   * Grants access to raw I/O operations, which can be abused to perform arbitrary read/write operations on devices.
10. **CAP\_SYS\_TIME**
    * Allows modification of the system clock. Changing the system time can be used to manipulate logs and other time-sensitive data, hiding malicious activities.

If there is harmful capabilities set on a binary, we can use this capability to escalate privilege\
For example, if `CAP_SETUID` capability is set then this can be used as a backdoor to maintain privileged accss by manipulating its own process UID

```
cp $(which python) .
sudo setcap cap_setuid+ep python

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
```

&#x20;Refer the og site <https://gtfobins.github.io/#+capabilities> for more.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.dollarboysushil.com/linux-privilege-escalation/capabilities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.