Exploiting NFS Share

Recently while performing a network-level penetration testing activity for one of the clients, I came across a vulnerability which was used to compromise almost all the systems in scope. In this article, we will learn how to exploit a weakly configured NFS share to gain access to remote host followed by the privilege escalation.

Network File System (NFS): Network File System allows remote hosts to mount the systems/ directories over a network. An NFS server can export directory that can be mounted on a remote Linux machine. This allows the user to share the data centrally to all the machines in the network.

For the demo purpose, I am using Metasploitable in this article. Download the Metasploitable VM from http://sourceforge.net/projects/metasploitable/files/Metasploitable2/metasploitable-linux-2.0.0.zip/download

Set it up and run the VM. Enter “msfadmin” as username and password when prompt for login. Note the IP address of hosted machine by running “ifconfig” command. To simulate the exact scenario, I have modified the export directory from “/” (root) to “/home” under “/etc/exports” file. This file contains the configuration for NFS. After doing the changes, run the following command to restart the NFS service:

sudo /etc/init.d/nfs-kernel-server restart

Now, let’s start our Kali Linux machine to perform the penetration testing.

Step 1: Start with nmap service fingerprint scan on the IP address of the hosted machine:

nmap -sV 192.168.100.25

Step 2: The port scan result shows the port 2049 is open and nfs service is running on it.

Step 3: Check if any share is available for mount using showmount tool in Kali:

showmount -e 192.168.100.25

The “home” directory is mountable. Note the asterisk sign in front of /home, which means every machine on the network is allowed to mount the /home folder of this machine. If (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Satyam Singh. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/db_KAFPSuZ8/