NFS Enumeration and Exploitation

 

The lab that I have used to exploit is a TryHackMe lab under network services 2 module explaining about the NFS enumeration and exploitation.

Network File System and allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.

·         The client will request to mount a directory from a remote host on a local directory just the same way it can mount a physical device. 

 

·         The server checks if the user has permission to mount whatever directory has been requested. It will then return a file handle which uniquely identifies each file and directory that is on the server.

 

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:

•  The file handle
•  The name of the file to be accessed
•  The user's, user ID
•  The user's group ID

Enumeration

 

The first step of enumeration is to conduct a port scan, to find out as much information as you can about the services, open ports and operating system of the target machine. You can go as in-depth as you like on this, however, I suggest using nmap with the -A and -p- tags.

The following screenshot provides the nmap scan on the IP and the services associated with it.

Your client’s system needs a directory where all the content shared by the host server in the export folder can be accessed. You can create this folder anywhere on your system.

sudo mount -t nfs IP:share /tmp/mount -nolock

 

Tags	Function
Sudo	Run as root
mount	Execute mount command
-t nfs	Type of device to mount is nfs
IP:Share	IP address of the NFs server
-nolock	Not to use NFS login

 

The following screenshot provides the present visible share drive.

The following screenshot provides the user nfs server mounting and after this we will be able to access the data from the NFS server.

Exploitation

 

NFS shares- Root Squashing is enabled and prevents anyone connecting to the NFS share from having root access to the NFS volume. Remote root users are assigned a user “nfsnobody” when connected, which has the least local privileges.

SUID means that the file or files can be run with the permissions of the file(s) owner/group. In this case, as the super-user. We can leverage this to get a shell with these privileges!

The bash script to exploit the NFS server is here

The pathway to exploit is provided below

1. NFS Access 
2. Gain Low Privilege Shell
3. Upload Bash Executable to the NFS share
4.  Set SUID Permissions Through NFS Due to Misconfigured Root Squash
5. Login through SSH
6. Execute SUID Bit Bash Executable
7. ROOT ACCESS

Let’s do this! 

NFS Access

The following screenshot provides the information about sensitive data present on the file share ssh access permission files.

Gain low Privilege

The following screenshot provides the lower access to the NFS 

The following screenshot provides that the access creds for the ssh is copied to the local system

Upload Bash Executable to the NFS share

The following screenshot provides that the bash file is loaded into the mounted NFS folder

Set SUID Permissions Through NFS Due to Misconfigured Root Squash

The following screenshot provides the SUID permissions are set on the bash files due to misconfigured root squash which makes the file executable by group and owner users

Login through SSH

Login to the server using the ssh pem files

 Execute SUID Bit Bash Executable

Execute the bash file and access the root.txt file to get the flag