NFS GID Spoofing Privilege Escalation Tool

A Python tool that automates privilege escalation via NFS GID spoofing by creating setgid binaries on misconfigured NFS shares.

Description

This tool exploits misconfigured NFS shares where no_root_squash is enabled or where group-writable directories exist. It creates a local user with a target GID, compiles a setgid binary, and deploys it to the NFS share, allowing privilege escalation on the target system.

Requirements

• Python 3.6+
• Root privileges on the attacking machine
• GCC compiler (for static binary compilation)
• NFS client utilities (mount, umount)
• Access to an NFS share with appropriate permissions

Installation

No installation required. Ensure you have the required dependencies:

# Debian/Ubuntu
sudo apt-get install nfs-common gcc

# RHEL/CentOS
sudo yum install nfs-utils gcc

Usage

Basic Syntax

sudo python3 gid_spoofer.py  -s <NFS_SHARE> -g <TARGET_GID> -d <TARGET_DIRECTORY>

Options

• -s, --share: NFS share in format IP:/path (required)
• -g, --gid: Target GID to spoof (required)
• -d, --directory: Target directory on NFS share (required)
• -m, --mount: Custom mount point (optional, default: /tmp/nfs_mount_)
• --no-cleanup: Skip cleanup after exploitation (optional)

Examples

Basic usage with automatic cleanup:

sudo python3 gid_spoofer.py  -s 192.168.100.2:/srv/web.fries.htb -g 59605603 -d /shared

With custom mount point:

sudo python3 gid_spoofer.py  -s 10.10.10.10:/export -g 1000 -d /tmp -m /mnt/custom

Keep environment after exploitation for manual inspection:

sudo python3 gid_spoofer.py  -s 192.168.100.2:/srv/web -g 1000 -d /shared --no-cleanup

How It Works

1. Mounts the target NFS share to a local mount point
2. Creates or reuses a local group with the target GID
3. Creates a local user with the target GID as primary group
4. Compiles a static setgid binary that spawns a shell with the target GID
5. Copies the binary to the NFS share with proper ownership
6. Sets the setgid bit on the binary
7. Cleans up local artifacts (user, group, mount)

On Target System

After successful deployment, execute the binary on the target system:

/shared/escalate_<GID> -p
id  # Verify you now have the target GID

The -p flag preserves the group privileges when spawning the shell.

Cleanup

The tool automatically cleans up after execution:

• Unmounts the NFS share
• Removes the mount point
• Deletes the created local user
• Deletes the created local group

To skip automatic cleanup, use the --no-cleanup flag.

Manual cleanup commands:

sudo umount /tmp/nfs_mount_<GID>
sudo userdel -f nfs_user_<GID>
sudo groupdel nfs_group_<GID>

Security Considerations

• This tool requires root privileges on the attacking machine
• Only use on systems you have permission to test
• The setgid binary will remain on the NFS share after execution
• Ensure proper authorization before running this tool

Troubleshooting

Mount fails

• Verify NFS share is accessible: showmount -e <target_ip>
• Check firewall rules allow NFS traffic (port 2049)
• Ensure NFS service is running on target

Binary compilation fails

• Install GCC: sudo apt-get install gcc or sudo yum install gcc
• Ensure static libraries are available
• Check available disk space in /tmp

Permission denied when copying binary

• Verify the target directory is writable by the target GID
• Check NFS export options (no_root_squash, rw permissions)
• Ensure the directory exists on the NFS share

Author

by @itsrez

License

This tool is provided for educational and authorized security testing purposes only.