04 Jan 2023
First tool needed on a local machine to do more advanced enumeration is nfs-common package (Linux?). Important to have on any machine that uses NFS, as client or server. Includes lockd, ststd, showmount, nfsstat, gssd, idmapd, and mount.nfs. Primary concern for enumerating purposes is showmount and mount.nfs because they’re most useful for extracting information from the NFS share.
Before mounting, need to create a directory to mount into (i.e. /tmp/mount). Mount items with sudo mount -t nfs IP:share /directory/location -nolock.
Gather information about NFS server for task.
When using nmap, look for nfs-acl port.
Logged in to VM through ssh.
If accessing through low privilege shell and there’s an NFS share, can possibly escalate privs depending on share’s config.
By default Root Squashing is enabled on NFS shares and prevents anyone connecting from having root access to the NFS volume by assigning “nfsnobody” on connection, least privelege. If squashing is turned off, it can allow creation of SUID bit files. Files with SUID bit set can run with permissions of the file owner/group, we make it super-user.
Upload file(s) to NFS share while controlling permissions of file(s). If it is bash shell executable, can log in through ssh and execute file to gain root shell.
Follow the method using bash from creator’s GitHub until flag is retrieved.
Move bash executable to mounted share. From directory as root: sudo chown root bash
Set SUID bit with: sudo chmod +s bash
May need to do same to add execution to file.
Got the flag and, hopefully, good notes.