1 Become root on Linux via NFS exploits 1.1 Look for no_root_squash shares 1.2 Mount share 1.3 Create a payload 1.3.1 Bash binary with an SUID bit 1.3.2 C binary with an SUID bit 1.4 Execute the payload on the target machine to escalate privileges 1.5 Unmount the shared directory in the attacker machine
The NFS configuration file is
no_root_squash: This option basically gives authority to the root user on the client (us, our attacker host) to access files on the NFS server as root. This is bad, as we can create malicious files on the NFS share as the root user.
no_all_squash: This is similar to no_root_squash option but applies to non-root users.