NFS - Linux Privilege Escalation
Note: If you need to zoom in, you can click on the image.
Background Information on NFS
NFS stand for Network File System. NFS allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally.
Analogy for NFS: Imagine you are a user sitting in a library (client computer) and you want to read a book that is located on a shelf in a different building (server). Instead of physically going to the other building and retrieving the book, you can request the librarian (NFS protocol) to bring the book to you. The librarian acts as an intermediary, facilitating the retrieval of the book from the remote location and making it accessible to you locally.
NFS configuration setting is stored in: cat /etc/exports
and it important to note that this file can be read by anyone.
Exploiting NFS
The first thing we have to do is look at the NFS configuration to see what directories are shared then we narrow down our choices by looking for no_root_squash
.
What is no_root_squash? no_root_squash allows a remote root user on a remote client to retain their superuser privilege when accessing the shared files. Additionally no_root_squash disable “root squashing” .
Then what is root squashing? Root squashing prevent a remote root user to retain their superuser privilege. Basically, they are treated as a user. Let say you are a celebrity, but in your parent eyes your just their kid and they treat you just like how they treated you when you were born. That what root squashing is like.
Now that we found a shared directory that has no_root_squash. We need to enumerate (gather information) on what shares are mountable. To do this we can use this command: showmount -e TARGET_IP
.
![](/images/linux_priv_39.png)
Now, let's go inside the ATTACK_MACHINE folder. To test if the folder is really mounted together (shared together). We can create a file name new and see if it appears on our victim machine. To do this we are going use the touch command: `touch new.c`. As you can see from the picture, both directory are in sync.
![](/images/linux_priv_41.png)
Now, that our two directory are in sync. Time to do the evil stuff :) We will edit our new file from our "Attacker Machine" and put the following lines:
|
|
Note: Please make sure that new has the c extension. So it would be new.c
Now, we’re cooking. Now let’s compile our code using gcc new.c -o new -w
then assign it a SUID bit. Let’s review what a SUID bit shall we?
SUID bit
SUID bit is denoted as “s”. It also known as Set owner User ID. SUID the user to inherit the power of the owner of the file. For example, if the owner of the file is root, the user will get root privilege. If the owner of the file is a specific user, then the user will get the privilege of that specific user.
Back to the Program
Now that we review what a SUID bit is let’s continue where we started. The next thing we are going to do is assign suid to new. To do that we are going use this command: chmod u+s new
. If you do ls -al
again, you will see the suid bit assign to new.
![](/images/linux_priv_43.png)
There you go, we got root privilege.
That’s all, thank you for reading.