Python Library Hijacking Linux Privilege Escalation

I have been trying to do the linux privilege escalation python library hijacking module. Something seems to not be working for me as when I attempt to run the mem_status.py with the modified psutil function as sudo it says that I do not have permission although when I do sudo -l it says that I do.

1 Like

Ok, I just tried it again after waiting for awhile and now I can use sudo. I have no idea why I could not to begin with but it works now so that’s cool.

1 Like

Hi, did you get the root as well? Somehow, by following all the instructions on the page, I can’t get mem_status.py to run as root. I wonder, what’s the catch here?

1 Like

yeah I just followed what it said and made a reverse shell using Coding A Reverse Shell In Python In 10 Lines Or Less - LinuxForDevices
you can use any python shell code though

Very weird. I’m getting that same old “Sorry, user htb-student is not allowed…” sudo denial no matter what I do. All those tricks including reverse shells work perfectly without sudo (and without privileges of course). Oh well, I guess I’ll just pick another fun module until this one is ironed out. Thanks anyway.

I’m here too. I can’t even find a directory with write permissions for psutil to write

where did you change psutil?

Solved. This help me.Privilege Escalation via Python Library Hijacking | rastating.github.io

1 Like

Just worked this one out.
Change the command to:

sudo /usr/bin/python3 ~/mem_status.py

4 Likes

This one took me ages to figure out.

As mentioned by others above, none of the directories listed in the tutorial are writable by the htb-student user. You also do not get SETENV permissions with sudo. You also do not have write access to the init.py script in the psutil folder. Given all of that, you cannot actually do any single one of the things listed in the writeup.

The solution:
There is one other directory that the script will apparently check for psutil in: the directory that mem_status.py resides in. Create a new psutil.py, and run the program with sudo.

3 Likes

Keep in mind that the commands that are listed when you type “sudo -l” that have things like NOPASSWD: before them have to be typed as they’re written. So even if you’re in the directory of the mem_status.py you still need to specify the path. This is what hung me up.

2 Likes

This became overly complicated due to one key information NOT being mentioned.

you can pretty much do a two line code:

Summary
import os
os.system('cat path/to/file')

But when you execute, you need to mentioned the full path of the python library and full path to where the executable file is or use [~]

The HTB example of using a [.] before the slash is misleading intentionally or unintentionally.

1 Like

Whoever can help me with understanding situation in this module. I am trying run python with custom PATHPYTHON and return error from sudo? Does it change version of sudo or configuration sudo, or may my mistake? I don’t understand why in example provided in this module doesn’t work for me. Thanks.

htb-student@ubuntu:~$ sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/htb-student/mem_status.py
sudo: sorry, you are not allowed to set the following environment variables: PYTHONPATH

because htb-student doesnt have SETENV permission.
all you have to do is hijack the virtual.memory function on psutil.py in current python environtment

Hi
How to find the directory, where python looking for modules?
I checked all directories, got from python3 -c ‘import sys; print(“\n”.join(sys.path))’, they all without write permissions.