Privilege Escalation: How to build RPM payloads in Kali Linux

From time to time, you may come across a system that enables you to run yum or dnf as an elevated user. This scenario is quite enticing for penetration testers because it is a potential privilege escalation vector. But, what happens if we don’t have permissions to create RPM packages on the victim machine and we don’t have a CentOS or RedHat system easily available to us? The solution to this problem is to create an RPM package on our Kali Linux attacking machine and move it over to the victim machine.

Prerequisites

Kali Linux does not allow us to natively build RPM packages. In order to overcome this obstacle, we need to download fpm. You can get that here: https://github.com/jordansissel/fpm.

To install fpm, run the following commands:

You should now be able to run the fpm command.

We now need to make sure our Kali system has rpmbuild installed. To do this, run the following command:

Creating RPM payload

Our next step is to create a payload. The payload I am going to demonstrate with is a Bash Reverse Shell. In the example below, my shell is in a file called root.sh

Replace ATTACKER IP and LISTENING PORT accordingly

Feel free to get creative with this and adapt it to your own environment and constraints.

Next, we need to convert our root.sh into an RPM package. To do this, run the following command:

Take note that some of the values in the fpm command need to be altered to fit your scenario. You can run fpm -h to help you understand the command above.

Once you run the command, you should have a .rpm file in the directory you specified. The next step is to transfer the .rpm file to the victim machine.

Payload Execution

Once you manage to transfer the RPM package to the victim machine, the commands you need to run will depend on whether you are using yum or dnf.

For yum:

sudo yum localinstall -y root-1.0-1.noarch.rpm

For dnf:

sudo dnf install -y root-1.0-1.noarch.rpm

In my particular scenario, the yum command was deprecated and redirected the arguments attached to my original yum command to dnf. I was also experiencing issues related to repositories. My solution to this was to add a flag that disables DNF repositories. You can read more about that here: https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sec-Managing_DNF_Repositories.html

Note: The yum command redirects to dnf.

The result from this should be a root shell: