From time to time, you may come across a system that enables you to run yum or dnf as an elevated user. This scenario is quite enticing for penetration testers because it is a potential privilege escalation vector. But, what happens if we don’t have permissions to create RPM packages on the victim machine and we don’t have a CentOS or RedHat system easily available to us? The solution to this problem is to create an RPM package on our Kali Linux attacking machine and move it over to the victim machine.
Kali Linux does not allow us to natively build RPM packages. In order to overcome this obstacle, we need to download fpm. You can get that here: https://github.com/jordansissel/fpm.
To install fpm, run the following commands:
You should now be able to run the fpm command.
We now need to make sure our Kali system has rpmbuild installed. To do this, run the following command:
Creating RPM payload
Our next step is to create a payload. The payload I am going to demonstrate with is a Bash Reverse Shell. In the example below, my shell is in a file called root.sh
Feel free to get creative with this and adapt it to your own environment and constraints.
Next, we need to convert our root.sh into an RPM package. To do this, run the following command:
Take note that some of the values in the fpm command need to be altered to fit your scenario. You can run fpm -h to help you understand the command above.
Once you run the command, you should have a .rpm file in the directory you specified. The next step is to transfer the .rpm file to the victim machine.
Once you manage to transfer the RPM package to the victim machine, the commands you need to run will depend on whether you are using yum or dnf.
sudo yum localinstall -y root-1.0-1.noarch.rpm
sudo dnf install -y root-1.0-1.noarch.rpm
In my particular scenario, the yum command was deprecated and redirected the arguments attached to my original yum command to dnf. I was also experiencing issues related to repositories. My solution to this was to add a flag that disables DNF repositories. You can read more about that here: https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sec-Managing_DNF_Repositories.html
The result from this should be a root shell: