DEV Community

Cover image for PrivEsc with LD_PRELOAD
fx2301
fx2301

Posted on • Edited on

1

PrivEsc with LD_PRELOAD

#ethicalhacking #redteam #cybersecurity #privesc

Why?

You need root access on a Linux host.

When?

You have write access to the file-system, can set environment variables for root, and root runs processes.

How?

  1. Craft a C program with an init function registered with .init_array.
  2. Compile the C program as an .so binary for the matching architecture.
  3. Write the binary to the target host's filesystem.
  4. Set the LD_PRELOAD environment variable.
  5. Wait for or trigger the root process execution.

Example 

#include <unistd.h>

void init(int argc, char **argv, char **envp) {
    // PrivEsc hook
}

__attribute__((section(".init_array"))) typeof(init) *__init = init;
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

profile
AWS
 Promoted

AWS Q Developer image

Read next

tidefoundation profile image

It’s cybersecurity’s kryptonite: Why are you still holding it?

Tide Foundation -

vdelitz profile image

How to build a Passkey Product, a Strategy and Design for it?

vdelitz -

s3cloudhub profile image

Honeypot in Cybersecurity: Creating a Fake Access Point Honeypot 🚨

S3CloudHub -

pentest_testing_corp profile image

Preventing XML External Entity (XXE) Injection in Laravel Applications

Pentest Testing Corp -