NFS Privilege Escalation

Home Blog

Thought I would write an article on NFS Privilege Escalation technique. This is cause by mis-configuration of the /etc/exports file.

I replicated this scenario as I still have a bit of lab time left. During the NMAP scan, we can see that NFS and its dedicated port is found. We are exploiting the below vulnerability in /etc/exports

/home *(rw,no_root_squash)

no_root_squash option turns off the “squashing of root user” and gives the remote user root access to the connected system. The idea is to mount the home directory to a local directory that we have on our kali machine.

We copy a local shell onto the directory and change the ownership and permission to a SUID bit. When SUID bit is set on a file it allows any user to execute the file with the permission of the owner of the file rather than the permissions of the user who is executing the file.

From there, we just ssh into the victim machine as a low priv user, and run the shell in the shared directory. This and a couple of other priv esc techniques such as LD_PRELOAD are really valuable to have in the back pocket.

Below is a video demonstration of the attack on a lab environment.

NOTE: In the video, I did not cat /etc/exports, but we can see the NMAP scan which indicated something interesting.. For demonstration purposes, we can assume that no_root_squash is present in /etc/exports(it is)

Click on this link video for NFS Privilege Escalation Demonstration