Hacking Network Services: LAB4: NFS.

-

What is NFS?

NFS stands for "Network File System" and allows a system to share directories and files with others over a network. 

By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or a portion of a file system on a server. 

The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.

How does NFS work?

We don't need to understand the technical exchange in too much detail to be able to exploit NFS effectively- however if this is something that interests you, I would recommend this resource: https://docs.oracle.com/cd/E19683-01/816-4882/6mb2ipq7l/index.html

First, the client will request to mount a directory from a remote host on a local directory just the same way it can mount a physical device. The mount service will then act to connect to the relevant mount daemon using RPC.

The server checks if the user has permission to mount whatever directory has been requested. It will then return a file handle which uniquely identifies each file and directory that is on the server.

If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:

RPC: Remote Procedire Call, a remote procedure call is an interprocess communication technique that is used for client-server based applications. It is also known as subroutine call or a function call. A client has a request message that the RPC translates and sends to the server. This request may be a procedure or a function call to a remote server.

 The file handle

 The name of the file to be accessed

 The user's, user ID

 The user's group ID

-----------------------------------------------------------------------------------------------------------------------------

 What runs NFS?

Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux, MacOS or UNIX.

A computer running Windows Server can act as an NFS file server for other non-Windows client computers. Likewise, NFS allows a Windows-based computer running Windows Server to access files stored on a non-Windows NFS server.

More Information:

Here are some resources that explain the technical implementation, and working of, NFS in more detail than I have covered here.

https://www.datto.com/library/what-is-nfs-file-share

http://nfs.sourceforge.net/

https://wiki.archlinux.org/index.php/NFS

-----------------------------------------------------------------------------------------------------------------------------

  • The mounting process allows an NFS client to interact with a remote directory as though it was a physical device 
  • NFS use File Handle to represent files and directories on a server 
  • NFS use RPC protocol to communicate between the server and client 
  • The two pieces of user data that the NFS server take as parameters for controlling the user permissions are: USER ID/ GROUP ID
  • Windows NFS server can share files with a linux client 
  • Linux NFS server can share files with a MacOS client
  • The latest NFS version is 4.2, released in 2016 but is still up to date as of 2020

--------------------------------------------------------------------------------------------------------------

Enumerating NFS 

------------------------------------------------------------------------------------------------------------------------

Requirements: In order to do a more advanced enumeration of the NFS server, and shares, we are going to need few tools.

The first of which is key to interacting with any NFS share from your local machine: nfs-common

NFS-Common: It is important to have this package installed on any machine that uses NFS, either as client or server.

It includes programs such as :

  • lockd
  • statd
  • showmount
  • nfsstat
  • gssd
  • idmapd
  • mount.nfs

Primarily, we are concerned with "showmount" and "mount.nfs" as these are going to be most usefull to us when it comes to extracting information from the NFS share.

You can install nfs-common using "sudo apt-get install nfs-common", it is part of the default repositories for most linux distributions such as the kali linux or parrot os.

port scan: nmap -p- -A -vv [targetip]

Mounting NFS shares

Your client’s system needs a directory where all the content shared by the host server in the export folder can be accessed.

You can create this folder anywhere on your system. Once you've created this mount point, you can use the "mount" command to connect the NFS share to the mount point on your machine like so:

=> sudo mount -t nfs IP:share /tmp/mount/ -nolock <=

Let's break this down

Tag Function

sudo Run as root

mount Execute the mount command

-t nfs Type of device to mount, then specifying that it's NFS

IP:share The IP Address of the NFS server, and the name of the share we wish to mount

-nolock Specifies not to use NLM locking


/usr/sbin/showmount -e [targetip] => to list the NFS shares

sudo mount -t nfs $target:home /tmp/mount/ -nolock => to mount the share to our local machine

ssh -i <key-file> <username>@<ip>

------------------------------------------------------------------------------------------------------------------------

Exploiting NFS

------------------------------------------------------------------------------------------------------------------------

root_squash

by default, on nfs shares-root squashing is enabled, and prevents anyone connecting to the nfs share from having root access to the nfs volume. Remote root users are assigned a user "nfsnobody" when connected, which has the least local priviliges. 

Not what we want. However, if this is turned off. it can allow the creation of SUID bit files, allowing a remote user root access to the connected system 

----------------------------------------------------------------------

SUID:

what are files with the SUID bit set? Essentially, this means that the file or files can be run with the permissions of the file(s) owner/group. 

In this case, as the super-user. We can leverage this to get a shell with these privileges!

----------------------------------------------------------------------

Method:

This sounds complicated, but really - provided you're familiar with how SUID files work. it's fairly easy to understand.

We are able to upload files to the NFS share, and control the permissions of these files.

We can set the permissions of whatever we upload. in this case a bash shell executable. we can then log in through ssh, as we did in the previous task - and execute this executable to gain a root shell.

Mapped Out Pathway:


  NFS Access ->


        Gain Low Privilege Shell ->


            Upload Bash Executable to the NFS share ->


                Set SUID Permissions Through NFS Due To Misconfigured Root Squash ->


                    Login through SSH ->


                        Execute SUID Bit Bash Executable ->


                            ROOT ACCESS


chmod +s (SUID)

 "./bash -p". The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

--------------------------------------------------------------------------------------------------------------------------------

Thanks for reading! -  

Roger - Ozz961.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Common Network Commands: Route

-
Route Command Overview The route command is a part of the older net-tools package used in Linux systems for viewing and manipulating the IP routing table. It provides information about how packets are routed through the network and allows for the addition, deletion, and modification of routes. Origin and Development Historically, the route command has been a primary tool for managing network routing in Linux. However, it has largely been replaced by the ip command from the iproute2 package, which offers more advanced features and capabilities. Despite this, route is still commonly used in many Linux distributions for its simplicity and familiarity. Basic Functionality The route command serves several functions: - Displays the current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Display Routing Table:    ```    route -n    ``` ...
Read more