{"id":1513,"date":"2021-04-22T20:40:00","date_gmt":"2021-04-22T18:40:00","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=1513"},"modified":"2021-09-19T11:00:30","modified_gmt":"2021-09-19T09:00:30","slug":"linux-privilege-escalation-python-library-hijacking","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/linux-privilege-escalation-python-library-hijacking\/","title":{"rendered":"Linux Privilege Escalation : Python Library Hijacking"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 3<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span><p>Views: 3836<\/p>\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.aldeid.com\/w\/images\/b\/bd\/Ctf-tryhackme-Common-Linux-Privesc-tree.png\" alt=\"python library hijacking\"\/><figcaption><a href=\"https:\/\/tryhackme.com\/room\/commonlinuxprivesc\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/tryhackme.com\/room\/commonlinuxprivesc<\/a><\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Dans cet article, nous allons passer d&rsquo;un <strong>utilisateur lambda<\/strong> sans droits \u00e0 l&rsquo;<strong>utilisateur <span style=\"color:#cf2e2e\" class=\"tadv-color\">root<\/span><\/strong> \u00e0 l&rsquo;aide d&rsquo;un <strong>script <span style=\"color:#00d084\" class=\"tadv-color\"><a href=\"https:\/\/mikadmin.fr\/blog\/bien-debuter-en-python\/\" target=\"_blank\" rel=\"noreferrer noopener\">python<\/a><\/span><\/strong> et de la technique \u00ab\u00a0<strong>python library hijacking<\/strong>\u00ab\u00a0.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center\" style=\"font-size:38px\"><strong>Python Library Hijacking :<\/strong><\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Le contexte de cet exemple est tr\u00e8s simple, nous avons un utilisateur <strong><span style=\"color:#0693e3\" class=\"tadv-color\">simple_user<\/span><\/strong> qui apr\u00e8s v\u00e9rification peut lancer le script <strong><span style=\"color:#00d084\" class=\"tadv-color\">example.py<\/span><\/strong> \u00e0 l&rsquo;aide de <strong><span style=\"color:#9b51e0\" class=\"tadv-color\">sudo<\/span><\/strong> :<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"970\" height=\"179\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image.png\" alt=\"\" class=\"wp-image-1518\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image.png 970w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-300x55.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-150x28.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-768x142.png 768w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Cependant ce n&rsquo;est pas aussi facile que \u00e7a \u00e9tant donn\u00e9 que nous n&rsquo;avons pas les droits d&rsquo;\u00e9criture sur ce dernier !<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"435\" height=\"126\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-1.png\" alt=\"\" class=\"wp-image-1519\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-1.png 435w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-1-300x87.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-1-150x43.png 150w\" sizes=\"auto, (max-width: 435px) 100vw, 435px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Mais comment faire pour <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">bypass<\/span><\/strong> dans ce cas l\u00e0 ?<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Il faut regarder en d\u00e9tail notre fameux script, qui \u00e0 titre d&rsquo;exemple importe le <strong>module random<\/strong> et g\u00e9n\u00e8re une liste de nombre entre 10 et 30 et nous l&rsquo;affiche :<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"394\" height=\"202\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-2.png\" alt=\"\" class=\"wp-image-1520\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-2.png 394w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-2-300x154.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-2-150x77.png 150w\" sizes=\"auto, (max-width: 394px) 100vw, 394px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">La m\u00e9thode de cet article repose sur le fait que nous allons pouvoir <strong>\u00e9crire notre propre module random<\/strong> mais qui sera bien s\u00fbr malicieux et nous permettra donc de passer root.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">En effet, en cr\u00e9ant un fichier <strong><span style=\"color:#00d084\" class=\"tadv-color\">random.py<\/span><\/strong> dans le chemin <strong><span style=\"color:#ff6900\" class=\"tadv-color\">\/home\/simple_user\/<\/span><\/strong> python va prioriser l&rsquo;ex\u00e9cution de ce module \u00e0 la place du chemin habituel que l&rsquo;on peut retrouver avec la commande :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\" data-line=\"\">python3 -c &#039;import sys; print(&quot;\\n&quot;.join(sys.path))&#039;<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"541\" height=\"184\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-3.png\" alt=\"\" class=\"wp-image-1523\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-3.png 541w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-3-300x102.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-3-150x51.png 150w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">C&rsquo;est donc parti pour la cr\u00e9ation de notre \u00ab\u00a0module\u00a0\u00bb dans <strong><span style=\"color:#ff6900\" class=\"tadv-color\">\/home\/simple_user\/<\/span><\/strong> :<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"299\" height=\"183\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-4.png\" alt=\"\" class=\"wp-image-1525\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-4.png 299w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-4-150x92.png 150w\" sizes=\"auto, (max-width: 299px) 100vw, 299px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Une fois le module os import\u00e9 nous mettons le<strong> <span style=\"color:#cf2e2e\" class=\"tadv-color\">bit SUID<\/span><\/strong> sur le binaire <strong>bash<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Il est d\u00e9sormais temps d&rsquo;ex\u00e9cuter le script afin qu&rsquo;il fasse appel \u00e0 notre module :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\" data-line=\"\">sudo \/usr\/bin\/python3 \/home\/simple_user\/example.py<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"502\" height=\"164\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-5.png\" alt=\"\" class=\"wp-image-1526\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-5.png 502w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-5-300x98.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-5-150x49.png 150w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Apr\u00e8s v\u00e9rification du fichier<strong> \/bin\/bash<\/strong> nous pouvons voir la r\u00e9ussite du processus !<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"464\" height=\"106\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-6.png\" alt=\"\" class=\"wp-image-1527\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-6.png 464w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-6-300x69.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-6-150x34.png 150w\" sizes=\"auto, (max-width: 464px) 100vw, 464px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Il suffit \u00e0 pr\u00e9sent d&rsquo;ex\u00e9cuter la commande :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\" data-line=\"\">\/bin\/bash -p<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"842\" height=\"193\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-7.png\" alt=\"\" class=\"wp-image-1528\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-7.png 842w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-7-300x69.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-7-150x34.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/04\/image-7-768x176.png 768w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 3<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span>Linux Privilege Escalation with Python Library Hijacking.<\/p>\n<p>Python will prioritize the execution of our malicious module instead of the usual path <a href=\"https:\/\/mikadmin.fr\/blog\/linux-privilege-escalation-python-library-hijacking\/\" class=\"more-link\">Continuer la lecture <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1516,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4,3],"tags":[21,5,9,45,15],"class_list":["post-1513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","category-system","tag-ctf","tag-infosec","tag-linux","tag-pentest","tag-python"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=1513"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1513\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/1516"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=1513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=1513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=1513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}