reporter.py

I found an interesting file after making a lateral movement

friend@friendzone:/opt$ ll
total 12
drwxr-xr-x  3 root root 4096 sep 13 17:53 ./
drwxr-xr-x 22 root root 4096 sep 13 17:53 ../
drwxr-xr-x  2 root root 4096 sep 13 17:53 server_admin/
friend@friendzone:/opt$ cd server_admin ; ll
total 12
drwxr-xr-x 2 root root 4096 sep 13 17:53 ./
drwxr-xr-x 3 root root 4096 sep 13 17:53 ../
-rwxr--r-- 1 root root  424 Jan 16  2019 reporter.py*

It’s a Python script owned by the root user and I am able to only read it. This is also the Python script that the root cronjob process is executing periodically

friend@friendzone:/opt/server_admin$ cat reporter.py

#!/usr/bin/python
 
import os
 
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
 
print "[+] Trying to send email to %s"%to_address
 
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
 
#os.system(command)
 
# I need to edit the script later
# Sam ~ python developer

It appears to be a half-finished auto mailer, and is using /usr/bin/python , and the os module

friend@friendzone:/opt/server_admin$ /usr/bin/python -V
Python 2.7.15rc1

/usr/bin/python is Python 2.7.15rc1 The most important thing here is that the Python script above is using the os module. The os module for Python 2.7 has been discovered to be writeable by ANYONE

Checking the path and permission

friend@FriendZone:/opt/server_admin$ /usr/bin/python -c "import os; print(os.__file__)"
/usr/lib/python2.7/os.pyc

I can pin-point the exact location of the os module being used by /usr/bin/python with the command above. The os module, in this case, is located at /usr/lib/python2.7/os.pyc

Checking further, I see 2 Python script named, os

friend@FriendZone:/opt/server_admin$ ll /usr/lib/python2.7/os.py*
-rwxrwxrwx 1 root   root   25910 Jan 15  2019 /usr/lib/python2.7/os.py*
-rw-rw-r-- 1 friend friend 25583 Jan 15  2019 /usr/lib/python2.7/os.pyc

/usr/lib/python2.7/os.pyc is owned by the current user; friend /usr/lib/python2.7/os.py is owned by the root user but writable

The difference between os.py and os.pyc os.py is the source file for the os module, and os.pyc is the compiled bytecode version of that file. When a Python program imports the os module, the interpreter will first check for the existence of an os.pyc file in the directories listed in the sys.path variable. If it exists, it will be loaded and executed directly, as it is already in a form that the Python interpreter can understand. If the os.pyc file does not exist, the interpreter will fall back to loading and executing the os.py source file, which will then be compiled to bytecode and saved as os.pyc for future use. This won’t alter the operation of the importing and running of the module, but it would take slightly longer.

This means that I can get code execution by altering the os.pyc file (like changing name or deleting it) and over-writing the os.py file to my liking. So the Python script above will import from the source file, which is os.py

friend@FriendZone:/opt/server_admin$ ll /usr/lib/python2.7/
total 8304
drwxrwxrwx 27 root   root    16384 Sep 13 17:53 ./

Funny thing is that the friend user owns the entire directory of /usr/lib/python2.7

This will be my ticket to Root. Python module hijacking as I have the write permission to the parent directory and own the module itself.

InfoSec LAB

Explorer

FriendZone_Reporter

reporter.py

Checking the path and permission

Interactive Graph View

Table of Contents

Backlinks