Contents

Introduction.......................................................................................3
Python Script Creation .......................................................................3
Method 1 ...........................................................................................4
Vulnerability Creation ...................................................................................... 4
Exploitation ..................................................................................................... 5
Method 2 ...........................................................................................8
Vulnerability Creation ...................................................................................... 8
Exploitation ................................................................................................... 10
Method 3 ......................................................................................... 12
Vulnerability Creation .................................................................................... 12
Exploitation ................................................................................................... 13
Conclusion ....................................................................................... 15

Page 2 of 15
Introduction
In general, whenever an attacker is introduced inside an environment that has Python files, The options
that the attacker can use to increase its access are limited. There are three methods that we will discover
in the article. Some misconfigurations include write permissions, sudo privileges, and editing the path
variable.

Python Script Creation

To demonstrate the action of elevating privileges using Python scripts, we created a sample script that
imports some libraries. In a real-life scenario, this can be general Python scripts or projects that a group
of developers are working on. In a Capture the Flag scenario, these are easy to find and might contain a
script that would be similar to this one. The script imports the webbrowser module and then proceeds to
use the open function to run the default web browser on the device to open the hackingarticles web page.

nano hack.py
import webbrowser
webbrowser.open("https://hackingarticles.in")
cat hack.py

To see how the scripts work, we run the script and find that a web browser is opened with the
hackingarticles web page as depicted below.

python3 hack.py

Page 3 of 15
Method 1
The permissions applied to the module file that our script imports are the source of this vulnerability. It
becomes a vulnerability when the module file being imported has rights that allow any user to alter it. The
webbrowser.py module file is called in the python script that we wrote. It is not an issue in an untouched
system with all default permissions, but in a development environment, there tends to be some security
tradeoffs over small conveniences. To have a better understanding of what happens in the background
and what permissions can lead to privilege escalation, we will first construct the vulnerability in our
Ubuntu environment and then attack it with Kali Linux.

Vulnerability Creation
As discussed, in this method, the vulnerability is based on the permissions on the module file. To create
this vulnerability, we need to locate the module file first. We used the locate command to find it. We see
that it is located inside of /usr/lib/python3.8/. This could vary from installation to installation. So, try and
locate it in your environment. Then we can see that the permissions that are by default on the module
file are read, write, and execute permissions for the owner; execute and read for the group; and only
execute permissions for others. This means that unless the user is the root, they cannot edit the file. To
create the vulnerability, we changed the permissions so that they could be read, written, and executed
by every user. This can be verified from the image below.

locate webbrowser.py
ls -la /usr/lib/python3.8/webbrowser.py
sudo chmod 777 /usr/lib/python3.8/webbrowser.py
ls -la /usr/lib/python3.8/webbrowser.py

The next order of business is to make our machine vulnerable by providing a way to run the Python script.
The easiest way to do this is to make an entry inside the sudoers file so that the attacker (who will have
access to user pavan) will be able to execute the python script that we created (hack.py).

nano /etc/sudoers
pavan ALL=(root) NOPASSWD: /usr/bin/python3.8 /home/pentest/hack.py

Page 4 of 15
This is a complete process that makes the machine vulnerable to Python Library Hijacking. All the
configurations that are not mentioned are set to be the defaults that Linux has. No other changes have
been made.

Exploitation
The exploitations will not contain a method to gain the initial foothold on the target machine. It will
contain the method to elevate the privilege after the attacker gains the initial foothold. To stimulate this,
we connect to the target machine as the user pavan. Like any attacker who requires elevated privileges,
we ran the sudo -l command to see which scripts or binaries we could run with elevated access. We see
that we can use Python 3.8 to run hack.py. As an attacker, we investigate the script using the cat command
to see that it is importing a module named webbrowser. We use the locate command to find the location
of the module and find that it is located inside /usr/lib/python3.8. Next, we check for permissions for the
module and find that it is writable by a pavan user to whom we have access.

Page 5 of 15
 ssh [email protected]
sudo -l
cat /home/pentest/hack.py
locate webbrowser.py
ls -la /usr/lib/python3.8/webbrowser.py

We used the nano editor to open the module file and add the Python reverse shell script inside the
function that is called by the hack.py file. We saw earlier that it opens up a webpage in the browser. So,
it will be using an open function. Hence, we will add the reverse shellcode as depicted below.

nano /usr/lib/python3.8/webbrowser.py

Page 6 of 15
After editing the module file, we save and close the editor. Back on the Kali Linux console, we open a
Netcat listener on the port mentioned in the reverse shell script and then come back to the shell as the
pavan user and execute the hack.py script with sudo as shown in the image.

sudo /usr/bin/python3.8 /home/pentest/hack.py

As soon as the script is running, we see that a session is connected to our Netcat listener. The whoami
command clarifies that the session we have is for the root user on the target machine. We have
successfully elevated privilege from the pavan user to the root user.

nc -lvp 1234
whoami

Page 7 of 15
Method 2
This vulnerability is based on the priority order of the Python library path that is applied to the module
file that our script is importing. When a module is imported into a script, Python will look for the particular
module file inside the default directories in a particular priority order. In the python script that we created,
we have the webbrowser.py module file that is called. The module that is being searched for will be
located on one of the default paths. However, if there is a Python module file in the same directory as the
original script, it will get priority over the default paths. To get a better understanding of what goes on in
the background and how it can lead to a privilege escalation, we will first create the vulnerability in our
Ubuntu environment and then use Kali Linux to exploit this vulnerability.

Vulnerability Creation
As discussed, in this method, the vulnerability is based on the priority order of the module file execution.
To create this vulnerability, first we need to revert the vulnerable permissions that we created earlier so
that this machine doesn’t become vulnerable in multiple ways. We change the permissions of the
webbrowser.py.

ls -la /usr/lib/python3.8/webbrowser.py

Next, we get back to the Python script that we created earlier. We can see that it is located in the home
of the Pavan user and it still contains the same code that we began with. It still imports the webbrowser
module.

ls
cat hack.py

Page 8 of 15
Since we moved the script from the pentest user’s home directory to the home directory of the pavan
user, we need to make the change inside the sudoers file as well, so that it contains the correct path for
the script hack.py.

nano /etc/sudoers
pavan ALL=(root) NOPASSWD: /usr/bin/python3.8 /home/pavan/hack.py

Page 9 of 15
This is a complete process that makes the machine vulnerable to Python Library Hijacking. All the
configurations that are not mentioned are to be set to the default that Linux has. No other changes have
been made.

Exploitation
Again, the exploitation will not contain a method to gain an initial foothold on the target machine. It will
include a method for increasing privilege after the attacker gains a foothold. To stimulate this, we connect
to the target machine as the user pavan. Like any attacker who requires elevated privileges, we ran the
sudo -l command to see which scripts or binaries we could run with elevated access. We see that we can
use Python 3.8 to run hack.py. As an attacker, we investigate the script using the cat command to see that
it is importing a module named webbrowser.

ssh [email protected]
sudo -l
ls
cat hack.py

Page 10 of 15
Since the hack.py is located inside the home directory of the pavan user, and since we have access as the
pavan user, we can create a file inside the home directory. In this scenario, it should be noted that we
can’t edit the hack.py file. If that were the case, we would edit the file directly and add a reverse shellcode
inside, but in this case, we will create a webbrowser.py file. We, will add the Python reverse shellcode
inside the webbrowser.py file that we just created.

nano webbrowser.py
cat webbrowser.py

Next, we need to run a Netcat listener on the port that we mentioned inside the reverse shellcode. Then
we will proceed to execute the hack.py script using sudo.

sudo /usr/bin/python3.8 /home/pavan/hack.py

Page 11 of 15
As soon as the script is running, we see that a session is connected to our Netcat listener. The id command
clarifies that the session we have is for the root user on the target machine. We have successfully elevated
privilege from the pavan user to the root user.

nc -lvp 1234
id

Method 3
This vulnerability is based on the Python library that searches through the Python PATH Environment
Variable. This variable holds a list of directories where Python searches for the different directories for
the imported modules. If an attacker can change or modify that variable, then they can use it to elevate
privileges on the target machine. To get a better understanding of what goes on in the background and
how it can lead to a privilege escalation, we will first create the vulnerability in our Ubuntu environment
and then use Kali Linux to exploit this vulnerability.

Vulnerability Creation
As discussed, this method of vulnerability is based on the environment's path variable. To create this
vulnerability, first we need to revert the vulnerable permissions that we created earlier. so that this
machine doesn’t become vulnerable in multiple ways. We create the hack.py script inside the tmp
directory. We can verify that the contents of the script are the same as before.

cd /tmp
ls
cat hack.py

Page 12 of 15
Next, we need to make some changes inside the sudoers file. First, we change the location of the file to
the /tmp directory, and then we add the SETENV tag to the file. This means that the pavan user can use
the SETENV command with sudo permissions without entering the root password. The SETENV is the tool
that can change the value for the PYTHONPATH environment variable to include any location into the
order of execution that we learned in the previous method.

nano /etc/sudoers
pavan ALL=(root) NOPASSWD:SETENV /usr/bin/python3.8 /tmp/hack.py
cat /etc/sudoers

This is the complete process that made the machine vulnerable to Python Library Hijacking. All the
configurations that are not mentioned are to set to the default that Linux has. No other changes have
been made whatsoever. Time to pose as an attacker.

Exploitation
Again, the exploitation will not contain a method to gain an initial foothold on the target machine. It will
contain the method to elevate the privilege after the attacker gains the initial foothold. To stimulate this,

Page 13 of 15
we connect to the target machine as the user pavan. Like any attacker who requires elevated privileges,
we ran the sudo -l command to see which scripts or binaries we could run with elevated access. We see
that we can use the SETENV with elevated access. This means that we can use it to alter the priority order
of the imported module. Since the hack.py is located inside the /tmp directory, we move into it and check
the hack.py script.

ssh [email protected]
sudo -l
cd /tmp
ls

Since it is importing the webbrowser module, we first create a malicious module file with the name
webbrowser.py, and then, using the ability to change the environment variable PythonPATH, we will make
an entry to include our malicious module file. The malicious module file contains the reverse shellcode.
We start a Netcat listener on the same port as mentioned in the script, proceed to add the /tmp directory
into the Python Path, and then execute the hack.py file to elevate our access.

cat hack.py
nano webbrowser.py
cat webbrowser.py
sudo PYTHONPATH=/tmp/ /usr/bin/python3.8 /tmp/hack.py

Page 14 of 15
As soon as the script is running, we see that a session is connected to our Netcat listener. The whoami
command clarifies that the session we have is for the root user on the target machine. We have
successfully elevated privilege from the pavan user to the root user.

nc -lvp 1234
id

Conclusion
We were able to set up three real-life scenarios for the environment of the Python Libraries and then
introduced some misconfigurations that could lead to an attacker elevating their access to the root level.
The development environment is one of the most targeted environments because, in those, the ease of
performing tasks is given priority over the security of the environment.

Page 15 of 15
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in