1

I'm playing some CTF challenges and I'm trying to exploit ld.so.preload to obtain a root shell.

I'm currently testing on my local Kali.

I generate my payload as follows:

msfvenom -p linux/x64/exec CMD="/bin/bash" -o elf-so -o /root/bash.so

If I load this shared library with LD_PRELOAD=/root/bash.so, I get a shell with my current user.

But, if I add /root/bash.so to ld.so.preload the system simply hangs with any further command (and then I have to start a live distro to remove my ld.so.preload file because nothing works anymore, of course).

I tried different commands (even simple touch /tmp/loaded) and different payloads (shells, reverse shells), but the result doesn't change. The system hangs.

Just to make sure that I'm not adding it the wrong way to the file, let's say I'm adding it this way:

echo "/root/bash.so" > /etc/ld.so.preload

What am I missing? Is it possible to use this format with ld.so.preload?

Zagorax
  • 111
  • 1
  • 3

0 Answers0