This article describes an exploitation path of PackageKit settings in Fedora/CentOS, to achieve local privilege escalation to root without any user interaction.

The scenario uses vulnerabilities in both the default configuration of PackageKit and some packages.

We found a way to escalate our privileges to root, exploiting a vulnerability in the way that a setsuid binary can be abused to load malicious Perl libraries.

A vulnerability has been introduced in the package that installs sqliteODBC in Red Hat / CentOS / Fedora distributions.

It is a race condition that allows local users to escalate their privileges to root permissions.

Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve).

It is comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster.