Sudo Abuse
Checklist
Environment Variables (https://tryhackme.com/room/linuxprivesc)
Check which environment variables are inherited (look for the env_keep options):
sudo -l
LD_PRELOAD
LD_PRELOAD
is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library.
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
Run one of the programs you are allowed to run via sudo (listed when running sudo -l), while setting the LD_PRELOAD
environment variable to the full path of the new shared object:
sudo LD_PRELOAD=/tmp/preload.so program-name-here
LD_LIBRARY_PATH
LD_LIBRARY_PATH
provides a list of directories where shared libraries are searched for first.
Run ldd
against the any program that you can execute as sudo (sudo -l) to see which shared libraries are used by the program:
ldd /usr/sbin/apache2
Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c:
gcc -o /tmp/libcrypt.so.1 -shared -fPIC library_path.c
Run program using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp (where we output the compiled shared object):
sudo LD_LIBRARY_PATH=/tmp program-name-here
Last updated