> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/linux-penetration-testing/privilege-escalation/python-library-hijacking.md).

# Python Library Hijacking

## **Scenario 1: Incorrect Write Permissions**

* A Python script with **SUID/SGID** privileges imports a vulnerable library.
* The script can execute as a privileged user (e.g., root).
* The imported library file has **global write permissions** (`rw` for all users).

**Exploitation**:

* Modify the library by adding malicious code (e.g., reverse shell).
* Execute the script to trigger the payload.

1. Check if the script has **SUID/SGID** set and executes as a privileged user: Look for `rws` (SUID) or `rwx` with root ownership.

   ```bash
   ls -l <script_name>
   ```
2. Check if the imported library has **global write permissions**: Look for `rw` for all users (`rw-r--rw-`).

   ```bash
   ls -l /usr/local/lib/python3.X/dist-packages/<module_name>
   ```

***

## **Scenario 2: Library Path Misconfiguration**

* Python loads libraries based on a **priority order** defined in its `sys.path`.**Conditions**:
* The imported library resides in a **lower-priority path**.
* A **higher-priority path** is writable by your user.

**Exploitation**:

* Create a malicious library file in the writable, higher-priority path.
* Python will load the malicious version before the original library.

1. View the **search order** of Python libraries::

   ```bash
   python3 -c 'import sys; print("\\n".join(sys.path))'
   ```
2. Identify if any **higher-priority paths** are writable: Look for `drwxr-xrwx` permissions.

   ```bash
   ls -la <path>
   ```
3. Verify the installation location of the target library: Ensure the original library is in a **lower-priority path**.

   ```bash
   pip3 show <module_name>
   ```

## **Scenario 3: PYTHONPATH Environment Variable**

* `PYTHONPATH` specifies directories Python searches for modules.
* You have **sudo permissions** to execute Python with `SETENV` enabled.
* You can set `PYTHONPATH` to a directory you control.

**Exploitation**:

* Create a fake library file with the same name and function.
* Set `PYTHONPATH` to point to the directory containing your malicious module.

1. Check if you have permissions to set environment variables with `sudo`:**Command**:Look for `SETENV` permission for the Python binary.

   ```bash
   sudo -l
   ```
2. Confirm you can create a library in a **controlled directory**.
3. Test setting `PYTHONPATH` to redirect the module search:

   ```bash
   sudo PYTHONPATH=/tmp/ /usr/bin/python3 <script_name>
   ```

**General Checklist for Python Library Hijacking**

1. Verify the script has **SUID/SGID privileges** or runs as root.
2. Identify the libraries imported in the script.
3. Check for **global write permissions** on the imported libraries.
4. Inspect the **Python search path** (`sys.path`) for writable directories.
5. Confirm if you can set `PYTHONPATH` using `sudo` and `SETENV`.
6. Create a **malicious library file** with:
   * The **same name** as the imported library.
   * A function matching the original library's function signature.
7. Test the exploitation by running the script.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/linux-penetration-testing/privilege-escalation/python-library-hijacking.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.