I have been trying to do the linux privilege escalation python library hijacking module. Something seems to not be working for me as when I attempt to run the mem_status.py with the modified psutil function as sudo it says that I do not have permission although when I do sudo -l it says that I do.
Ok, I just tried it again after waiting for awhile and now I can use sudo. I have no idea why I could not to begin with but it works now so that’s cool.
Hi, did you get the root as well? Somehow, by following all the instructions on the page, I can’t get mem_status.py to run as root. I wonder, what’s the catch here?
yeah I just followed what it said and made a reverse shell using Coding A Reverse Shell In Python In 10 Lines Or Less - LinuxForDevices
you can use any python shell code though
Very weird. I’m getting that same old “Sorry, user htb-student is not allowed…” sudo denial no matter what I do. All those tricks including reverse shells work perfectly without sudo (and without privileges of course). Oh well, I guess I’ll just pick another fun module until this one is ironed out. Thanks anyway.
I’m here too. I can’t even find a directory with write permissions for psutil to write
where did you change psutil?
Solved. This help me.Privilege Escalation via Python Library Hijacking | rastating.github.io
Just worked this one out.
Change the command to:
sudo /usr/bin/python3 ~/mem_status.py
This one took me ages to figure out.
As mentioned by others above, none of the directories listed in the tutorial are writable by the htb-student user. You also do not get SETENV permissions with sudo. You also do not have write access to the init.py script in the psutil folder. Given all of that, you cannot actually do any single one of the things listed in the writeup.
There is one other directory that the script will apparently check for psutil in: the directory that mem_status.py resides in. Create a new psutil.py, and run the program with sudo.
Keep in mind that the commands that are listed when you type “sudo -l” that have things like NOPASSWD: before them have to be typed as they’re written. So even if you’re in the directory of the mem_status.py you still need to specify the path. This is what hung me up.
This became overly complicated due to one key information NOT being mentioned.
you can pretty much do a two line code:
But when you execute, you need to mentioned the full path of the python library and full path to where the executable file is or use [~]
The HTB example of using a [.] before the slash is misleading intentionally or unintentionally.
Whoever can help me with understanding situation in this module. I am trying run python with custom PATHPYTHON and return error from sudo? Does it change version of sudo or configuration sudo, or may my mistake? I don’t understand why in example provided in this module doesn’t work for me. Thanks.
htb-student@ubuntu:~$ sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/htb-student/mem_status.py
sudo: sorry, you are not allowed to set the following environment variables: PYTHONPATH
because htb-student doesnt have SETENV permission.
all you have to do is hijack the virtual.memory function on psutil.py in current python environtment
How to find the directory, where python looking for modules?
I checked all directories, got from python3 -c ‘import sys; print(“\n”.join(sys.path))’, they all without write permissions.