{"id":129912,"date":"2022-11-20T11:10:59","date_gmt":"2022-11-20T11:10:59","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=908596"},"modified":"2022-11-20T11:10:59","modified_gmt":"2022-11-20T11:10:59","slug":"python-library-hijacking-a-simple-demonstration-on-numpy","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2022\/11\/20\/python-library-hijacking-a-simple-demonstration-on-numpy\/","title":{"rendered":"Python Library Hijacking \u2013 A Simple Demonstration on NumPy"},"content":{"rendered":"\n
\n
\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n
5\/5 – (1 vote) <\/div>\n<\/div>\n

In this blog post, I\u2019ll show you how recreated a Python library hijacking vulnerability <\/strong>on my home network. <\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

The Wonderland box on TryHackMe<\/a> was the inspiration for exploring this kind of vulnerability.<\/p>\n

In my previous Wonderland walkthrough blog post<\/a>, I highlighted an example of exploiting the \u2018random<\/a><\/code>\u2019 module to switch users without knowing their password. <\/p>\n

In this post, I\u2019ll guide you through the setup and execution of the exploit. You can also watch the accompanying video tutorial here:<\/p>\n

\"YouTube<\/a>
<\/figcaption><\/figure>\n

What is Python Library Hijacking?<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n

When a user has permission to run a file as another user it is possible to create a spoof file<\/strong> that Python will load instead of the originally intended module or library. The necessary conditions for Python library hijacking are:<\/p>\n

    \n
  1. The user must have sudo permissions to run a Python file .py<\/code> as another user<\/li>\n
  2. The Python path must be set to look first in the folder where the spoof file is stored\u00a0<\/li>\n<\/ol>\n

    Setup<\/h2>\n
    \n
    \"\"<\/figure>\n<\/div>\n

    In order to re-create this vulnerability, I had to learn how to set up the above conditions for the exploit. <\/p>\n

    On my home network, I have a Raspberry Pi<\/a> 3b running DietPi operating system. Originally I set this up to run Pi-hole to filter ads out from my home network. <\/p>\n

    In order to set up the permissions to run a file as another user I edited the sudoers file with visudo<\/code>. <\/p>\n

    Visudo<\/a> is a special editor specifically for editing the sudoers file. It only allows one user to edit the file at a time, and also checks user edits for correct syntax. I created a file called \u2018checkmypermissions.py<\/code>\u2019 and granted sudo permissions to vulnerableuser<\/code> to run it as user ben.\u00a0<\/p>\n

    \n
    \"\"<\/figure>\n<\/div>\n

    To do this I used the command \u2018sudo visudo<\/code>\u2019 to edit sudoers file, and then I added the second line for vulnerable user:<\/p>\n

    # User privilege specification\nroot ALL=(ALL:ALL) ALL\nvulnerableuser ALL=(ben:1001) \/usr\/bin\/python3 \/home\/vulnerableuser\/checkmypermissions.py<\/pre>\n
    The nice thing about visudo<\/code> is that it checks your formatting to make sure that there are not any errors, and it will even suggest changes to help you format the permissions correctly. <\/p>\n
    This functionality helped me save time getting the correct spacing and punctuation on the new sudoers line.<\/p>\n
    Running the Exploit<\/h2>\n
    \n
    \"\"<\/figure>\n<\/div>\n
    Once the permissions were set up I ssh\u2019d into vulnerableuser@<raspberry pi IP><\/code>. Running the \u2018sudo -l<\/code>\u2019 command showed me the granular sudo permissions.<\/p>\n
    \n
    \"\"<\/figure>\n<\/div>\n
    The line above (ben : 1001) \/usr\/bin\/python3 \/home\/vulnerableuser\/checkmypermissions.py<\/code> shows that as vulnerableuser<\/code> I can execute the checkmypermissions.py<\/code> file as the user Ben<\/em>.\u00a0\u00a0<\/p>\n
    All that is left to do is to check the Python PATH to make sure that it checks first in the current directory, and then create a python file named numpy.py<\/code> with code to spawn a shell. One way to check the Python PATH is:<\/p>\n
    Python<\/strong><\/p>\n
    import sys\nsys.path<\/pre>\n
    In the example below, we can see that the python PATH is already set to search in the current working directory (''<\/code>).\u00a0<\/p>\n
    \n
    \"\"<\/figure>\n<\/div>\n
    Next we create the numpy.py<\/code> file to spawn a shell<\/a>.<\/p>\n
    nano numpy.py<\/strong><\/code><\/p>\n
    import os\nos.system(\"\/bin\/bash\")\n<\/pre>\n
    It is important to first set up execute permissions on the spoofed numpy.py<\/code> file:<\/p>\n
    chmod +x numpy.py<\/pre>\n
    Now we can carry out the python library hijack and spawn a shell as user ben without knowing their password by running the following command:<\/p>\n
    sudo -u ben \/usr\/bin\/python3 \/home\/vulnerableuser\/checkmypermissions.py\u00a0\u00a0<\/pre>\n
    Project Learnings<\/h2>\n
    \n
    \"\"<\/figure>\n<\/div>\n
    Learning #1<\/h3>\n
    I learned that Visudo is a special editor within Linux<\/strong> to change the sudoers file \/etc\/sudoers<\/code>. <\/p>\n
    It helps check formatting to avoid any errors or crashes from poorly written lines. The sudoers file allows the root user to granularize user permissions with the sudoers file on Linux.<\/p>\n
    Learning #2<\/h3>\n
    Granting run as another user file permissions can expose a machine to library hijacking vulnerabilities. <\/p>\n
    Running sudo -l<\/code> can help expose special user file permissions when enumerating for attack vectors to execute privilege escalation.<\/p>\n
    Learning #3<\/h3>\n
    I found that it is helpful to compile a custom shortlist of Python and bash commands new to me for each project. I borrowed this strategy from my experience with language learning. <\/p>\n
    Over the years, I\u2019ve improved my Mandarin by taking notes on new vocabulary words and grammar patterns. When working on a new topic area I would always create my own custom grammar and vocabulary lists for reference. <\/p>\n
    I\u2019ve found that the simple act of focusing on recording a list helps to cement my learning and creates a nice reference for later use.<\/p>\n","protected":false},"excerpt":{"rendered":"
    5\/5 – (1 vote) In this blog post, I\u2019ll show you how recreated a Python library hijacking vulnerability on my home network. The Wonderland box on TryHackMe was the inspiration for exploring this kind of vulnerability. In my previous Wonderland walkthrough blog post, I highlighted an example of exploiting the \u2018random\u2019 module to switch users […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-129912","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/129912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=129912"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/129912\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=129912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=129912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=129912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}