11. NFS

Introduction

NFS shares are configured in the /etc/exports file.

Remote users can mount shares, access, create, modify files.

By default, created files inherit the remote user’s id and group id (as owner and group respectively), even if they don’t exist on the NFS server.

Useful Commands

Show the NFS server’s export list:

$ showmount -e <target>

Similar Nmap script:

$ nmap –sV –script=nfs-showmount <target>

Mount an NFS share:

$ mount -o rw,vers=2 <target>:<share> <local_directory>

Root Squashing

Root Squashing is how NFS prevents an obvious privilege escalation.

If the remote user is (or claims to be) root (uid=0), NFS will instead “squash” the user and treat them as if they are the “nobody” user, in the “nogroup” group.

While this behavior is default, it can be disabled!

No Root Squash

no_root_squash is an NFS configuration option which turns root squashing off.

When included in a writable share configuration, a remote user who identifies as “root” can create files on the NFS share as the local root user.

So our client root user can place a SUID binary file inside the nfs server directory and then our non root user can access that binary with root permissions

Previous10. Passwords & Keys NextPrivEsc CTF Checklists

Last updated 1 year ago