Python Library Hijacking Linux Privilege Escalation

wheal · June 28, 2023, 11:17pm

I have been trying to do the linux privilege escalation python library hijacking module. Something seems to not be working for me as when I attempt to run the mem_status.py with the modified psutil function as sudo it says that I do not have permission although when I do sudo -l it says that I do.

wheal · June 29, 2023, 7:54am

Ok, I just tried it again after waiting for awhile and now I can use sudo. I have no idea why I could not to begin with but it works now so that’s cool.

tmptr03 · June 29, 2023, 6:49pm

Hi, did you get the root as well? Somehow, by following all the instructions on the page, I can’t get mem_status.py to run as root. I wonder, what’s the catch here?

wheal · June 30, 2023, 1:26am

yeah I just followed what it said and made a reverse shell using Coding A Reverse Shell In Python In 10 Lines Or Less - LinuxForDevices
you can use any python shell code though

tmptr03 · June 30, 2023, 6:15pm

Very weird. I’m getting that same old “Sorry, user htb-student is not allowed…” sudo denial no matter what I do. All those tricks including reverse shells work perfectly without sudo (and without privileges of course). Oh well, I guess I’ll just pick another fun module until this one is ironed out. Thanks anyway.

aleks-9 · July 3, 2023, 3:27pm

I’m here too. I can’t even find a directory with write permissions for psutil to write

aleks-9 · July 3, 2023, 3:48pm

where did you change psutil?

aleks-9 · July 3, 2023, 5:03pm

Solved. This help me.Privilege Escalation via Python Library Hijacking | rastating.github.io

Rrrgang · August 5, 2023, 11:53am

Just worked this one out.
Change the command to:

sudo /usr/bin/python3 ~/mem_status.py

aleph · August 5, 2023, 9:12pm

This one took me ages to figure out.

As mentioned by others above, none of the directories listed in the tutorial are writable by the htb-student user. You also do not get SETENV permissions with sudo. You also do not have write access to the init.py script in the psutil folder. Given all of that, you cannot actually do any single one of the things listed in the writeup.

The solution:
There is one other directory that the script will apparently check for psutil in: the directory that mem_status.py resides in. Create a new psutil.py, and run the program with sudo.

JesseWil · August 18, 2023, 10:26pm

Keep in mind that the commands that are listed when you type “sudo -l” that have things like NOPASSWD: before them have to be typed as they’re written. So even if you’re in the directory of the mem_status.py you still need to specify the path. This is what hung me up.

muskypirate · August 23, 2023, 8:45am

This became overly complicated due to one key information NOT being mentioned.

you can pretty much do a two line code:

Summary

import os
os.system('cat path/to/file')

But when you execute, you need to mentioned the full path of the python library and full path to where the executable file is or use [~]

The HTB example of using a [.] before the slash is misleading intentionally or unintentionally.