nuclei-templates/code/privilege-escalation/linux/binary/privesc-rpmverify.yaml

48 lines
1.4 KiB
YAML

id: privesc-rpmverify
info:
name: rpmverify - Privilege Escalation
author: daffainfo
severity: high
description: |
The rpmverify command is used to verify the integrity and authenticity of installed RPM packages on a Linux system. It checks the files in the installed packages against the information stored in the RPM database to detect any modifications or discrepancies. This helps ensure the security and stability of the system by identifying any unauthorized changes to the installed packages.
reference:
- https://gtfobins.github.io/gtfobins/rpmverify/
metadata:
verified: true
tags: code,linux,rpmverify,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rpmverify --eval '%(whoami 1>&2)'
- engine:
- sh
- bash
source: |
sudo rpmverify --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220749059b8ec0e7d457d03ced81b4b48b3d69580b77a6e0c1198dcd2534727d4ed022100eb51a489cfa87f8689a639d6b921964d9e4a0b2b8e6aee5869361c52f4c71796:922c64590222798bb761d5b6d8e72950