NFS (attacker-machine)

NOTE: Do not confuse this method with NFS (client-side). The NFS server in this case is ran from the attacker machine instead

Attacker machine

  • Create a mountable share point hosting a shellcode with root as owner, and SUID bit set

  • Make the shellcode file executable by all

Target machine

  • Mount the attacker share

  • Execute the binary to gain a root shell

Required conditions

  1. NFS share configurations does not suppress SUID

Attacker machine

  • /etc/exports should have the no_root_squash option for the export:

/... *(...,no_root_squash)

Target machine

  • The mount option should have the -o suid flag set:

$ mount -t nfs ... -o suid

  1. Misconfigured mount settings

Note that the mount command requires superuser privileges

  • Writable /etc/fstab — this file controls the mounting of file systems on boot

  • Writable and privileged cron-jobs, or systemd services with mount functions that allows an attacker to modify the contents, and point the mount towards the attacker server instead

  • Method to run mount without sudo

Enumeration (possible scripts)

# /etc/fstab
$ ls -l /etc/fstab

# systemd services
# find writable files under systemd directories and search inside for the word "mount"
$ find /etc/systemd/system -writable -type f -exec grep -iH "mount" {} \; 2>/dev/null 


# cronjobs
# find writable files under cron directories and search inside for the word "mount"
$ find /etc/cron* -type f -writable -exec grep -iH "mount" {} \; 2>/dev/null
PreviousFilesystem sharingNextWindows

Last updated