// notes/ PrivEsc — Linux
🐧

Sudo Ld Preload

Pre-loading is a feature of LD (Dynamic Linker) which is available on most UNIX systems. This can be exploited by loading a custom library of our choice (as root) before loading a…

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/sudo_ld_preload

LD_PRELOAD

Pre-loading is a feature of LD (Dynamic Linker) which is available on most UNIX systems. This can be exploited by loading a custom library of our choice (as root) before loading a different library

code
01sudo -l
<figure><img src="/files/IiOL3TtJBlRHGe0LYexg" alt=""><figcaption></figcaption></figure>

Create a the malicious library in C

<figure><img src="/files/XbyW2dt1fiRSgGYsh4Ws" alt=""><figcaption></figcaption></figure>

Code Breakdown:

  • Including standardio, sys/types and standard libraries
  • Unset the LD_PRELOAD environment variable
  • Set the gid and uid to 0 (which is root)
  • Then we want to execute /bin/bash as root (0)

Compile

code
01gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Use LD_PRELOAD and another command that we can run as root

code
01sudo LD_PRELOAD=/tmp/shell.so iftop