Python-__pycache__-Poisoning-Privilege-Escalation/Dockerfile at main · dollarboysushil/Python-__pycache__-Poisoning-Privilege-Escalation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
FROM ubuntu:24.04

ENV DEBIAN_FRONTEND=noninteractive

# -----------------------------
# Install dependencies
# -----------------------------
RUN apt update && apt install -y \
    sudo \
    python3.12 \
    nano \
    && rm -rf /var/lib/apt/lists/*

# -----------------------------
# Create user
# -----------------------------
RUN useradd -m -s /bin/bash dollarboysushil && \
    echo "dollarboysushil ALL=(root) NOPASSWD: /opt/pycache-lab/runner.py" >> /etc/sudoers

# -----------------------------
# Create vulnerable app structure
# -----------------------------
RUN mkdir -p /opt/pycache-lab/__pycache__

# -----------------------------
# Create runner.py (root-executed)
# -----------------------------
RUN printf '%s\n' \
    '#!/usr/bin/python3.12' \
    '' \
    'from helper_module import do_work' \
    '' \
    'def main():' \
    '    print("[*] Running privileged Python task...")' \
    '    do_work()' \
    '' \
    'if __name__ == "__main__":' \
    '    main()' \
    > /opt/pycache-lab/runner.py

# -----------------------------
# Create helper_module.py
# -----------------------------
RUN printf '%s\n' \
    'def do_work():' \
    '    print("[+] Legitimate helper module executed")' \
    > /opt/pycache-lab/helper_module.py

# -----------------------------
# Permissions
# -----------------------------
RUN chmod +x /opt/pycache-lab/runner.py && \
    chmod 777 /opt/pycache-lab/__pycache__ && \
    chown -R root:root /opt/pycache-lab

# -----------------------------
# Switch to low-priv user
# -----------------------------
USER dollarboysushil
WORKDIR /home/dollarboysushil

CMD ["/bin/bash"]