linux privilege escalation - part two

2) Shell Escape Sequences
3) Sudo  Environment Variable Hijacking

Shell Escape Sequences / Gtfobins / living off the land

whatever you want to call it, this involves using native binaries and their functions to achieve root privileges. First step is finding out which binaries run as root:

Then compare this list with GTFOBins. See if you can use them to get root as shown below:

Another example using apache2 to read /etc/shadow

sudo environment variables - LD_PRELOAD

sudo can inherit environment variables, you can check for these by doing sudo -l as shown above. Keep an eye out for env_keep*

• LD_PRELOAD is inherited from the users environment. It can preload shared object libraries before the program runs 
• LD_LIBRARY_PATH provides a list of directories to search for shared object libraries.

The goal to is "hijack" these enviroment variables with a malicious shared object library. First we must create a Shared Object Library called preload.so.

This is the original C code below:

We can now run a program which was listed when we did "sudo -l" (in this case its iftop) and load the malicious shared object library via LD_PRELOAD:

sudo environment variables - LD_library_path

We will now do something very similar but with LD_LIBRARY_PATH. This involves creating a malicious shared library with the same name as an incumbent library and hijacking LD_LIBRARY_PATH. We'll be attacking the apache2 binary. First find out which libraries are loaded by apache2:

Now create a malicious shared object library name with the same name as an already existing library

The original C code of library_path.c

Next, provide the path containing the malicious library while executing the sudo binary: