# ld.so PrivEsc Example

{% embed url="<https://book.hacktricks.xyz/linux-hardening/privilege-escalation/ld.so.conf-example>" %}

### **Key Assumptions:**&#x20;

1. **Someone has created a vulnerable entry** inside a file in */etc/ld.so.conf/, and t*he vulnerable folder is */home/ubuntu/lib* (where we have writable access)

```bash
sudo echo "/home/ubuntu/lib" > /etc/ld.so.conf.d/privesc.conf
```

2. We can wait for a **reboot** or for the root user to execute **`ldconfig`**  ike cron (*in case you can execute this binary as **sudo** or it has the **suid bit** you will be able to execute it yourself*) through.&#x20;
3. Even you do not find any info under /etc/ld.so.conf or /etc/ld.so/conf.d/, run 'strace' to see if you have any missing shared library. You might find some missing so library.&#x20;

<figure><img src="https://4082237222-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnA4bAkddGXesk1QCLYAY%2Fuploads%2F7YdvJmGidLYAaSGvs7eq%2Fimage.png?alt=media&#x26;token=8a4b8069-ebaf-4491-8062-9ecb7170a2ef" alt=""><figcaption></figcaption></figure>

&#x20;      Use an exploit.c in LD\_PRELOAD section in Sudo, complie it with the same command with the \
&#x20;      filename above, and run the program. The program automatically loads the library and execute   \
&#x20;      the library.&#x20;