NFS (attacker-machine)

NOTE: Do not confuse this method with NFS (client-side). The NFS server in this case is ran from the attacker machine instead

Attacker machine

Create a mountable share point hosting a shellcode with root as owner, and SUID bit set
Make the shellcode file executable by all

Target machine

Mount the attacker share
Execute the binary to gain a root shell

Required conditions

NFS share configurations does not suppress SUID

Attacker machine

/etc/exports should have the no_root_squash option for the export:

/... *(...,no_root_squash)

Target machine

The mount option should have the -o suid flag set:

$ mount -t nfs ... -o suid

Misconfigured mount settings

Note that the mount command requires superuser privileges

Writable /etc/fstab — this file controls the mounting of file systems on boot
Writable and privileged cron-jobs, or systemd services with mount functions that allows an attacker to modify the contents, and point the mount towards the attacker server instead
Method to run mount without sudo

Enumeration (possible scripts)

# /etc/fstab
$ ls -l /etc/fstab

# systemd services
# find writable files under systemd directories and search inside for the word "mount"
$ find /etc/systemd/system -writable -type f -exec grep -iH "mount" {} \; 2>/dev/null 


# cronjobs
# find writable files under cron directories and search inside for the word "mount"
$ find /etc/cron* -type f -writable -exec grep -iH "mount" {} \; 2>/dev/null

PreviousFilesystem sharing NextWindows

Last updated 7 months ago