During a penetration test, you enumerate a Linux NFS server and discover that the /export directory is mounted with 'no_root_squash' and 'world_readable' permissions. Which of the following actions would allow you to escalate to root access on the NFS client?
Since no_root_squash is disabled, files created as root on the client retain root ownership on the server. A setuid binary executes with root privileges.
Why this answer
Option D is correct. With 'no_root_squash', a root user on the client can create files owned by root on the server. By mounting the share and creating a setuid binary owned by root, any local user on the client can execute it with root privileges.