diff --git a/linux-unix/privilege-escalation/apparmor.md b/linux-unix/privilege-escalation/apparmor.md index 0a0b4cc21..68844c751 100644 --- a/linux-unix/privilege-escalation/apparmor.md +++ b/linux-unix/privilege-escalation/apparmor.md @@ -224,7 +224,7 @@ Note that you can **add/remove** **capabilities** to the docker container (this * `--cap-add=SYS_ADMIN`_ _give_ _`SYS_ADMIN` cap * `--cap-add=ALL`_ _give_ _all caps -* `--cap-drop=ALL --cap-add=SYS_PTRACE` drop all caps and only give +* `--cap-drop=ALL --cap-add=SYS_PTRACE` drop all caps and only give `SYS_PTRACE` {% hint style="info" %} Usually, when you **find** that you have a **privileged capability** available **inside** a **docker** container **but** some part of the **exploit isn't working**, this will be because docker **apparmor will be preventing it**. diff --git a/linux-unix/privilege-escalation/linux-capabilities.md b/linux-unix/privilege-escalation/linux-capabilities.md index 1564dd676..d5386a098 100644 --- a/linux-unix/privilege-escalation/linux-capabilities.md +++ b/linux-unix/privilege-escalation/linux-capabilities.md @@ -322,7 +322,9 @@ User=bob AmbientCapabilities=CAP_NET_BIND_SERVICE ``` -## Malicious Use +## + +## CapabilitMalicious Use Capabilities are useful when you **want to restrict your own processes after performing privileged operations** (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root.