L-CAP-ABUSEPrivilege Escalation

Linux Capability Abuse

Binary with cap_setuid+ep / cap_sys_admin / cap_dac_read_search — escalate to root via the granted capability.

§ Where this technique fits

L-CAP-ABUSE is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
step 2 / 7

§ What commonly comes next

01
netfilter / nf_tables UAF
LK-NETFILTER-UAF · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

nf_tables UAF → kernel R/W → root

§ What commonly comes next