mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 20:13:37 +00:00
88 lines
3.9 KiB
Markdown
88 lines
3.9 KiB
Markdown
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
{% endhint %}
|
||
|
|
||
|
Mais exemplos sobre yum também podem ser encontrados em [gtfobins](https://gtfobins.github.io/gtfobins/yum/).
|
||
|
|
||
|
# Executando comandos arbitrários via Pacotes RPM
|
||
|
## Verificando o Ambiente
|
||
|
Para aproveitar este vetor, o usuário deve ser capaz de executar comandos yum como um usuário com privilégios mais altos, ou seja, root.
|
||
|
|
||
|
### Um exemplo funcional deste vetor
|
||
|
Um exemplo funcional deste exploit pode ser encontrado na sala [daily bugle](https://tryhackme.com/room/dailybugle) no [tryhackme](https://tryhackme.com).
|
||
|
|
||
|
## Empacotando um RPM
|
||
|
Na seção a seguir, abordarei como empacotar um shell reverso em um RPM usando [fpm](https://github.com/jordansissel/fpm).
|
||
|
|
||
|
O exemplo abaixo cria um pacote que inclui um gatilho antes da instalação com um script arbitrário que pode ser definido pelo atacante. Quando instalado, este pacote executará o comando arbitrário. Usei um exemplo simples de shell reverso com netcat para demonstração, mas isso pode ser alterado conforme necessário.
|
||
|
```text
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
</details>
|
||
|
{% endhint %}
|