Category: misc Author: ishtar
Beep boop bop... A blessing and a curse :/
Reveal Spoiler
The main objective of this challenge is to familiarize the player with "shared library hijacking" and "function hooking" in Linux, abusing the preload mechanism.
The ld.so.preload
file does not suffer from the LD_PRELOAD
environment variable restrictions when running SUID binaries. Thus, it is possible to define our custom shared library which will allow us to escalate our privileges upon running any SUID binary, by hooking any function used (while privileges are not dropped), such as geteuid
in su
(as in the provided solution).
Solution steps:
- Identify possible ways to escalate privileges.
ld.so.preload
file is world-writable (find / -type f -writable 2>/dev/null
). - Compile an evil shared library, and escalate privileges to obtain the flag.
A solution for this challenge, is provided in solve.c