Privilege Escalation: Library Hijacking

 

                                       Exploit cronjobs running python script

---------------------------------------------------------------------------------------

 

Python script:

f:id:WaterExecution:20200430003653p:plain

 

since the script is using the calendar library, we will use the file: /usr/lib/python2.7/calendar.py (easily found in the python documentation)

f:id:WaterExecution:20200430003802p:plain

 

add a reverse shell payload to the end:

f:id:WaterExecution:20200430003850p:plain

source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

 

wait for the script to run:

f:id:WaterExecution:20200430004119p:plain

---------------------------------------------------------------------------------------

 

Stricter imports:

f:id:WaterExecution:20200430011543p:plain

Through globals() we can find what is imported

 'day_name': <calendar._localized_day instance at 0x...>f:id:WaterExecution:20200430011522p:plain

---------------------------------------------------------------------------------------

 

Pivoting through different imports:

f:id:WaterExecution:20200430013444p:plain

f:id:WaterExecution:20200430013300p:plain

f:id:WaterExecution:20200430013546p:plain