Hello, and welcome to this course in which we're talking about using Python for privilege escalation. In this video, we're going to be talking about Python Library Injection. So Python library injection is an example of Search order hijacking. So when you try to import a particular library in Python, run a particular executable on Windows or Linux etc. You don't always have to specify the entire path to that Python library Windows executable etc. The Windows on file system, the Linux file system, Python etc. Use the PATH variable on the system to list where it will look for particular libraries, programs, etc. And so this order of operations can be hijacked, because if you have a library or executable at a location higher on that path or that search list then the legitimate one. Then when someone attempts to use that particular Python library, executable etc they're going to use your version instead of the version that they're looking for. So, in this video, we're going to talk about Python library injection and demonstrate how If you can insert a file at the right location, you can use it to hijack Python execution. So we're going to start out by looking at a file called safelibrary.py. And so this is an example of what we're planning on hijacking in this particular video. So we could just as easily name this after some Python package that we actually use something like scapy. And if we hijack the search order that Python uses, then we have the ability to have our code run instead of a legitimate version. So, this is an example of a reverse shell written in Python. It's a common example you can find a one liner for this many different places on the internet. And so we're going to talk through this code and then we're going to demonstrate how it works. So, up here at the top, we've got a couple, a few import statements of our own. we're importing socket subprocess and OS. We're then going to open up a socket using the socket library. And once we have this socket, this line, we're going to connect to it for the local host IP address. So 127.0.0.1 and port 1337. So this is going to open up a connection into connect to a particular IP address on a particular port. We're using the local host in this instance, but of course you can use any IP address, any port, etc. These next three lines here are designed to send standard output standard input and standard error to this socket rather than to the terminal that this is running on or the terminal where the Python program importing this library is running. And then finally, once we've set up that socket created our connection and redirected standard input output an error, we're using sub process call to launch a reverse shell, that we'll be able to access from the other system. And so our other system in this example is going to be this other terminal window on the same machine. In this case, we're going to be using N cat to set up a server that we're going to be listening to. So what we can do is use nc the dash l command for listen and then we have to provide the IP address and port that we want to listen on. So again localhost 127.0.0.1 and Port 1337. And so if I hit Enter here, nothing's really going to happen because this is the server side of our connection. It's only when it receives a connection request that something's going to occur on the system. So exiting out of this program we see if we type ls the contents of this particular folder. So we have the original Python file, we have a compiled version of that Python file. And then we have our vulnerable executable or vulnerable Python script, I mean, called library injection.py. So if we open up library injection.py, we see that this is a relatively simple program it's designed just to demonstrate this potential hijacking. So up here at the top, we have our vulnerable statement, import safe library. And so we are obviously using a library name that isn't defined elsewhere on the system. However, we can easily replace this with something else on the system. And the reason why is that Python when it's performing its search for the library to import typically starts in the current folder. In this case, since we have library injection.pi and safe library in the same folder Safelibrary our version will be the version imported at this first line of library injection. And when we import that program, it's going to run the program which we saw sets up a reverse shell on the system. We then have an innocuous statement down here print Hello World. Doesn't use our safelibrary function. But if we were imitating a legitimate library, then we might want to duplicate some of its functionality. Maybe safelibrary is scaping and so if we do reading and writing packets on the network, maybe in addition to providing that functionality that the real scape would have It also tries to strip out user credentials from the network traffic and send them to an attacker control server. So an example of using library injection for malicious purpose. But in our case all we're going to try to do is print Hello World in this program after importing the safe library library. So if we close this and run it with Python library injection.py and hit Enter you're watching the right side of the screen something just changed. So our in cat listener over here went from having nothing on this bottom line to $ sign. And that $ sign is the terminal prompt for us. And so, if you look up here, right now we're in the home directory on the real system that we're on. But if I type present working directory, we get home, ubuntu etc, which is as we see the directory over here. So what we're doing is we we are running a shell on the system that just ran Libraryn_Injection. And so we could take any malicious action that we wanted on that system with the permissions that are given us. And so this is an example of just one option for search order hijacking. On a Windows system you could do something like this, you'd have to I warn you, you'll have to change your reverse shell because some of the commands we use there. Do not work, but there are examples online. You do not want to use Python library injection could put in a fake executable higher on the path and the real one, or use DLL injection for executables with higher levels of permissions that might import a particular DLL. And so if you look online, say for DLL injection, there's a variety of resources there and some will say which Windows programs are potentially vulnerable to that type of injection. And so we're discussing this in our privilege escalation section here, because this could easily allow you to gain a higher level of privileges or access to a different account on the system. Because when we run this Python code, we're running it with a certain level permissions, a certain user account, etc. And so with these permissions and with this user account, we might have Higher level of access and permissions on the system than we did when we performed our library injection and dropped our malicious Python library in the same folder as our Python script. And so again, just one example of search order, hijacking there's variety of other examples out there and recommend checking out that section of the MITRE attack framework to learn how to adapt this particular attack, vector to other types of search order hijacking. Thank you.
