Linux Privilege Escalation
The course is part of this learning path
This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!
Hi, within this lecture, we're going to see LD_PRELOAD vulnerability and how to exploit it to become root. Right now, we are in the task 8. You can, actually follow this along with their as well. So, all you got to do is just run sudo-L as usual. And we see a lot of binaries over here. But also, we see this thing over here as well. So, LD_PRELOAD. Right now, we have access to LD_PRELOAD. So, what does it mean? Once we try to execute any of these binaries over here, if we want, we can actually preload some library or some code to execute this before the original binary over there. So, maybe we want to do that in Linux or maybe we don't want to do that. If we have root, of course, we have access to this, but even though we are not root, this permission is given to us. So, if you see LD_PRELOAD over here in the CTF or in a pen test, then it means that you get to load a library before executing any of the comments or any of the binaries over here. So, I'm not depending on the binary that you execute, it will work whatever you write, whatever you actually supply here will work. So, whether it's patchy to, whether it's anything else, it will work. So, of course you're going to have to try and see if this works or not. But again, in this case, we're going to do that. So, in order to do this, we need to understand the C code over here. So, I have shared the C code with you. So, this is a very small exploit that you're going to write you can reach this from here anytime you want. But also I'm going to write it down here in order to preload this before executing any of the binaries over there. So, I'm going to show you how it's done as well, but first of all, we need a C code. So, again, anytime you can come back here and just write this so you don't have to take a note or something like that. But it's very simple and all you got to do is just type this out. So, I'm going to show you don't worry. So, first of all we are user and we see the LD_PRELOAD is permitted. So, what I'm going to do, I'm going to write the C code over here and just use this gcc command in order to create a shared object which is executable, but not really okay. So, this is already to compile thingy and we can just use this to preload the shared object over here before executing getting binary. So, I'm going use nano, of course, you can use anything you want. I'm going to call this library.c and over here I'm going to write test for example. And let's see if we can actually see the library.c. Here you go, now we can see it. Now, I'm going to narrow this thing one more time. So, it means that we get to actually write some stuff in the user folder if we cannot do that, we can try this in under the TMP folder, obviously. So, I'm going to delete this and come over here and start typing with me. So, I'm going to bring in the standard libraries for C. So, I'm going to write hashtag include and standard input/output over here, .h like that. And we also need one more thing, so I'm going to say include sys, okay, sys types.h. So, these are the libraries that we will need and also don't forget to just standard library.h over here. So, here you go. Now, we have what we need over there. So, bring in all of those things so that your code works. So, after that we are just importing the libraries that we need in order to make this run like in Python. You remember Python. I'm going to create a method over here which will start with void. So, void means null, nada, nil, okay, it will return nothing. So, this will get executed, but it will just return nothing. And I'm going to call this in it and this will be the first thing that should get executed once we write this. So, let me do this over here, don't forget to add the curly braces over there. After that, I'm going to just bring four spaces over here and write unsetenv, unsetenv and over here, you need to specify the LD_PRELOAD over here. So, like this. So, it has to be exact. So, follow along with me. Again, bring in one tab, so just leave a space of one tab like four spaces over here and then just write the rest of the code. So, what we do here is actually valid for the other codes as well other than preload. All you go to do is just write setgid which is group id over here and just make it zero which is root. So, I'm going to hit "Tab" one more time and tap if tab doesn't work, just bring in its spaces and just run setuid; this is user ID and I'm going to make it root as well. So, finally I'm going to come over here and just write system and call the ("/bin/bash"): or bin as h over depending on the situation over here and don't forget the semi colon. So, that's it. Actually all we are doing over here is setting the setgid and setuid to zero and spawning the bash, spawning the shell. So, it will make us root and it will spawn a shell for us. So, this is a standard C code other than preload, you can use this in other cases as well. So, I'm going to 'Save' this with 'Control' or 'Enter' and hit 'Control X' to get out of this one. Now, library.c is over there. Now, library.c contains the exploit code, so I'm going to use the gcc over here. So, make sure you type the exact parameters as I'm doing and these parameters can be retrieved from the TryHackMe again. So, you got to do shared O and after that this O stands for the output and I'm going to save this under TMP. And I'm going to name this like library.so and SO stands for the shared object that I've talked about. And finally, you have to specify the library.c with no start files like that. So, make sure you take a note of these parameters and even if you don't you can get this from the TryHackMe, as I said before. So, basically we are compiling this into a shared object SO file so that we can actually run a sudo LD_PRELOAD and make it equal to the shared object file that we have created. And in order to do that, all you got to do is just say, equal sign and make it into the path that we have supplied, like TMP, library.so, like this. So, of course, if we didn't have this sudo permission over here for the LD_PRELAOD then it wouldn't work. But right now, we have. So, I'm going to specify it for Nmap. And if I run, who am I now, as you can see, I am root. Over here, you see, it is specified exactly like this for apache2 and that's it. So, you can try it with Nmap, you can try it with apache2 or any other binary that you see in that list and it will get executed. All it's doing over here is setgid, setuid and spawning the bash. So, make sure you remember that. It is not mandatory for you to know about C, I haven't written a project in C for years right now, but again, it's very easy once you know any programming language, so make sure you got this. Once you exit out of this one, we are using one more time and we're going to continue with the privilege escalation within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.