In this article, we will demonstrate another method of Escalating Privileges on Linux-based Devices by exploiting the Python Libraries and scripts.
Table of Content
·
Introduction
·
Python Script Creation
·
Method 1 [Write Permissions]
o
Vulnerability Creation
o
Exploitation
·
Method 2 [Priority Order]
o
Vulnerability Creation
o
Exploitation
·
Method 3 [PYTHONPATH
Environment Variable]
o
Vulnerability Creation
o
Exploitation
·
Conclusion
Introduction
In general, whenever an attacker is
introduced inside an environment that has python files. The options that the
attacker can use to elevate its access are limited. There are 3 methods that we
will discover in the article. Some misconfigurations include write permissions,
sudo privileges, and editing the Path Variable.
Python Script Creation
To demonstrate the action of elevating privileges
using python scripts, we created a sample script that imports some libraries.
In a real-life scenario, this can be general python scripts or projects that a
bunch of developers is working on. In a Capture the Flag Scenario, these are
easy to find and might contain a script that would be similar to this one. The
script imports the webbrowser module and then proceeds to use the open function
to run the default web browser on the device to open the hackingarticles web
page.
nano hack.py
import webbrowser
webbrowser.open(“https://hackingarticles.in”)
cat hack.py
To see how the scripts work, we run the
script and find that a web browser is opened with hackingaricles web page as
depicted below.
python3 hack.py
Method 1
This vulnerability is based on the
permissions that are applied to the Module file that our script is importing.
When the module file that is being imported has permissions that allow any user
to edit, it becomes a vulnerability. In the python script that we created; we
have the webbrowser.py module file that is called. When you have an unaltered
environment that has all the default permission, it is not an issue but in a
development environment, there tends to have some compromises of security over
minor convenience. To get a better understanding of what goes in the background,
what permissions can lead to a privilege escalation we will first create the
vulnerability in our ubuntu environment and then use Kali Linux to exploit this
vulnerability.
Vulnerability Creation
As discussed, in this method the
vulnerability is based on the permissions on the module file. To create this vulnerability,
we need to locate the module file first. We used the locate command to find it.
We see that it is located inside the /usr/lib/python3.8/. This could vary from
installation to installation. So, try and locate it in your environment. Then
we can see that the permission that is by default on the module file are read,
write, execute permissions for owner, execute and read for group and only
execute permissions for other. This means unless the user is the root, it
cannot edit the file. To create the vulnerability, we changed the permissions
so that they can be read, write, and executed by every user. This can be
verified from the image below.
locate webbrowser.py
ls -la /usr/lib/python3.8/webbrowser.py
sudo chmod 777
/usr/lib/python3.8/webbrowser.py
ls -la /usr/lib/python3.8/webbrowser.py
The next order of business to make our
machine vulnerable is to provide a way to run the python script. The easiest
way to do this is to make an entry inside the sudoers file so that the attacker
(which will have access to user pavan) will be able to execute the python
script that we created (hack.py)
nano /etc/sudoers
pavan ALL=(root) NOPASSWD:
/usr/bin/python3.8 /home/pentest/hack.py
This is a complete process that made the
machine vulnerable to Python Library Hijacking. All the configurations that are
not mentioned are to set to the default that Linux has. No other changes have
been made whatsoever. Time to pose as an attacker.
Exploitation
The exploitations will not contain a method
to gain the initial foothold on the target machine. It will contain the method
to elevate the privilege after the attacker gains the initial foothold. To stimulate
this we connect to the target machine as the user pavan. As any attacker who
requires to elevate privileges, we ran the sudo -l command to see which scripts
or binaries we can run with elevated access. We see that we can use python3.8
to run the hack.py. As an attacker, we investigate the script using the cat
command to see that it is importing a module by the name of webbrowser. We use
the locate command to find the location of the module and find that it is
located inside /usr/lib/python3.8. Next, we check for permissions for the
module and find that it is writable by a pavan user to whom we have access.
ssh pavan@192.168.1.46
sudo -l
cat /home/pentest/hack.py
locate webbrowser.py
ls -la /usr/lib/python3.8/webbrowser.py
We use the nano editor to open the module
file and added the python reverse shell script inside the function that is
called by the hack.py file. We saw earlier that it opens up a webpage in the browser.
So, it will be using an open function. Hence, we will add the reverse shellcode
as depicted below.
nano /usr/lib/python3.8/webbrowser.py
After editing the module file, we save and
close the editor. Back on the Kali Linux console, we open a Netcat listener on
the port mentioned in the reverse shell script and then come back to the shell
as the pavan user and execute the hack.py script with sudo as shown in the
image.
sudo /usr/bin/python3.8
/home/pentest/hack.py
As soon as the script is running, we see
that a session is connected to our Netcat listener. The whoami command
clarifies that the session we have is for the root user on the target machine.
We have successfully elevated privilege from the pavan user to the root user.
nc -lvp 1234
whoami
Method 2
This vulnerability is based on the priority
order of the Python Library path that is applied to the Module file that our
script is importing. When a module is imported in a script, the Python will
look for the particular module file inside the default directories in
particular priority order. In the python script that we created; we have the
webbrowser.py module file that is called. The module that is being searched
will be located in one of the default paths. Although if there exists a python
module file in the same directory as the original script, it will get priority
over the default paths. To get a better understanding of what goes in the
background, how can it lead to a privilege escalation we will first create the
vulnerability in our ubuntu environment and then use Kali Linux to exploit this
vulnerability.
Vulnerability Creation
As discussed, in this method the
vulnerability is based on the priority order of the module file execution. To
create this vulnerability, first, we need to revert the vulnerable permissions
that we created earlier. So that this machine doesn’t become vulnerable in
multiple ways. We change the permissions of the webbrowser.py.
ls -la /usr/lib/python3.8/webbrowser.py
Next, we get back to the python script that
we created earlier. We can see that it is located in the home of the pavan user
and it still contains the same code that we began with. It still imports the
webbrowser module.
ls
cat hack.py
Since we moved the script from the pentest
user home directory to the home directory of the pavan user, we need to make
the change inside the sudoers file as well so that it contains the correct path
for the script hack.py.
nano /etc/sudoers
pavan ALL=(root) NOPASSWD: /usr/bin/python3.8
/home/pavan/hack.py
This is a complete process that made the
machine vulnerable to Python Library Hijacking. All the configurations that are
not mentioned are to set to the default that Linux has. No other changes have
been made whatsoever. Time to pose as an attacker.
Exploitation
Again, the exploitation will not contain a
method to gain the initial foothold on the target machine. It will contain the
method to elevate the privilege after the attacker gains the initial foothold.
To stimulate this, we connect to the target machine as the user pavan. As any
attacker who requires to elevate privileges, we ran the sudo -l command to see
which scripts or binaries we can run with elevated access. We see that we can
use python3.8 to run the hack.py. As an attacker, we investigate the script
using the cat command to see that it is importing a module by the name of
webbrowser.
ssh pavan@192.168.1.46
sudo -l
ls
cat hack.py
Since the hack.py is located inside the
home directory of the pavan user, and we have access as the pavan user, we can
create a file inside the home directory. In this scenario, it should be noted
that we can’t edit the hack.py file. If that was the case, we would directly
edit the file and add a reverse shellcode inside but in this scenario, we will
create a webbrowser.py file. We will add the python reverse shellcode inside
the webbrowser.py file that we just created.
nano webbrowser.py
cat webbrowser.py
Next, we need to run a Netcat listener on
the port that we mentioned inside the reverse shellcode. Then we will proceed
to execute the hack.py script using the sudo.
sudo /usr/bin/python3.8
/home/pavan/hack.py
As soon as the script is running, we see
that a session is connected to our Netcat listener. The id command clarifies
that the session we have is for the root user on the target machine. We have
successfully elevated privilege from the pavan user to the root user.
nc -lvp 1234
id
Method 3
This vulnerability is based on the Python
Library that is searching through the Python PATH Environment Variable. This
variable holds a list of directories where the python searches for the
different directories for the imported modules. If an attacker can change or
modify that variable then they can use it to elevate privileges on the target
machine. To get a better understanding of what goes in the background, how can
it lead to a privilege escalation we will first create the vulnerability in our
ubuntu environment and then use Kali Linux to exploit this vulnerability.
Vulnerability Creation
As discussed, this method the vulnerability
is based on the environment path variable. To create this vulnerability, first,
we need to revert the vulnerable permissions that we created earlier. So that
this machine doesn’t become vulnerable in multiple ways. We create the hack.py
script inside the tmp directory. We can verify that the contents of the script
are the same as before.
cd /tmp
ls
cat hack.py
Next, we need to make some changes inside
the sudoers file. First, we change the location of the file to /tmp directory
then we add the SETENV tag into the file. This means that the pavan user can
use the SETENV command with sudo permissions without entering the root
password. The SETENV is the tool that can change the value for the PYTHONPATH
environment variable to include any location into the order of execution that
we learned in the previous method.
nano /etc/sudoers
pavan ALL=(root) NOPASSWD:SETENV /usr/bin/python3.8 /tmp/hack.py
This is the complete process that made the
machine vulnerable to Python Library Hijacking. All the configurations that are
not mentioned are to set to the default that Linux has. No other changes have
been made whatsoever. Time to pose as an attacker.
Exploitation
Again, the exploitation will not contain a
method to gain the initial foothold on the target machine. It will contain the
method to elevate the privilege after the attacker gains the initial foothold.
To stimulate this, we connect to the target machine as the user pavan. As any
attacker who requires to elevate privileges, we ran the sudo -l command to see
which scripts or binaries we can run with elevated access. We see that we can
use the SETENV with elevated access. This means that we can use it to alter the
priority order of the imported module. Since the hack.py is located inside the
/tmp directory, we move into it and check the hack.py script.
ssh pavan@192.168.1.46
sudo -l
cd /tmp
ls
Since it is importing the webbrowser
module, we first will create a malicious module file with the name of
webbrowser.py, and then using the ability to change the Environment Variable
PYTHONPATH we will make an entry to include our malicious module file. The
malicious module file contains the reverse shellcode. We start a Netcat listener
on the same port as mentioned in the script and proceed to add the /tmp
directory into the Python Path and then execute the hack.py file to elevate our
access.
cat hack.py
nano webbrowser.py
cat webbrowser.py
sudo PYTHONPATH=/tmp/
/usr/bin/python3.8 /tmp/hack.py
As soon as the script is running, we see
that a session is connected to our Netcat listener. The whoami command
clarifies that the session we have is for the root user on the target machine.
We have successfully elevated privilege from the pavan user to the root user.
nc -lvp 1234
id
Conclusion
In this article, we were able to set up
three real-life scenarios for the environment for the Python Libraries and then
introduced some misconfigurations that can lead to an attacker elevating their
access to the root level. The development environment is one of the most targeted
environments because in those the ease of performing tasks is given priority
over the security of the environment. This article proves that single
misconfigured settings can result in devastating results.
0 comments:
Post a Comment