Now we have gained a low-privilege user access to the target machine, and our objective is to escalate our privilege to the root user. There are multiple ways to escalate the privileges in Linux like exploiting a kernel-level unpatched vulnerability, weak security configurations, weak permission on files owned by the root user, the password stored in the file system, password reuse and so on.
In this article, we will see how a weakly configured NFS can lead us to the elevated privileges. Why to set the suid bit on this file? When a file with suid bit set is run by any user, the process will execute with the rights of the owner of the file. From here onward, we have the highest privilege on the machine and can start with our post-exploitation steps like dumping and cracking the hashes, enumerating the database, reading sensitive files owned by other users and using this machine as a pivot point to recon other machines and networks.
Now we will understand why the root owns the file uploaded on the mounted share on the remote machine. Repeat the steps given on point number 4 to mount the NFS share. You will observe two things:. NFS shares can be commonly found open on the internal Linux-based servers or workstations.
It is important not to use the service with default settings. This may lead to complete system compromise! The attacker with root privilege on the compromised machine may use the machine as a pivot point to attack further into the network leading to big compromise. The outlined steps also work on a macOS machine.
Create a mount point directory in the mnt folder where the remote file system will be mounted:. Enter the login password when requested if using password authentication.
If the remote server uses SSH key authorization, provide the path of the private key. For example:. The above command mounts a remote directory located at Note: Getting a connection error? Try troubleshooting through one of our guides:. Check if the file system mapped correctly by navigating to the directory using the cd command:.
Note: Still mounted? Double-check if you typed the umount command correctly. There is no letter N. Open the file explorer. Select the letter of the drive to which you'd like to map the remote folder. Where to start? AceaXe Plus 1. New features of 1. New features of 3. New features of 2. Axessh 4. New features of 4. Note I bound it to localhost The difference I'm pointing out is that in the above commands the ssh tunnels are logging into the server as root, while in the latter ones they are doing it as the very restricted user "sleeper".
So in the second case the privileges you have on the shares are limited to what sleeper can do even if you are root on the client. And yes, I have tested this. This feature is only available to subscribers. Get your subscription here. Log in or Sign up.
0コメント