LOTP
python
References
python is used to execute Python programs.
Environment variable poisoning
By default, python doesn’t load any configuration files in the current directory. However, if we’re able to poison multiple environment variables, we can gain code execution before any python/pip invocation through the $PYTHONWARNINGS environment variable.
This environment variable, while usually intended to control Python warnings, lets us load a Python module by name through the category section. We can use this to load the antigravity module which is an easter egg that opens an xkcd comic in your favorite browser.
To open the comic in a web browser, antigravity relies on the webbrowser module which in turn uses the $BROWSER environment variable (if configured) to choose an executable with which to open the comic URL.
From there, the chain can be adapted depending on the available utilities, but here is a functional example with bash:
PYTHONWARNINGS="::antigravity.::"
BROWSER="/bin/bash"
BASH_ENV="$(f=$(mktemp);echo pwned; echo exit>$f; echo $f)"
While
$(echo pwned)would’ve been sufficient as an assignment to$BASH_ENV, the additional commands ensure that the invocation to/bin/bashreturns a successful status code which prevents the opening of an additional browser.