NFS
Network File System - access file systems over a network as if they were local.
NFSv4 only run on one UDP or TCP port 2049
NFS is based on the Open Network Computing Remote Procedure Call (ONC-RPC/SUN-RPC) protocol exposed on TCP and UDP ports 111
nmap scan for nfs -> sudo nmap 10.129.14.128 -p111,2049 -sV -sC
get more info using rpcinfo -> rpcinfo -p <target-IP>
nmap nse scan for nfs -> sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049
Show Available NFS Shares -> showmount -e 10.129.14.128
Mounting NFS Share:
> mkdir target-NFS
> sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock
> cd target-NFS
> tree .
.
└── mnt
└── nfs
├── id_rsa
├── id_rsa.pub
└── nfs.share
2 directories, 3 files
unmount -> sudo umount ./target-NFS
NFS for privilege escalation
if NFS is set to no_root_squash, we can leverage this for privilege escalation. See NFS section in Linux Privilege Escalation
Dangerous Settings
| Option | Description |
|---|---|
rw | Read and write permissions. |
insecure | Ports above 1024 will be used. |
nohide | If another file system was mounted below an exported directory, this directory is exported by its own exports entry. |
no_root_squash | All files created by root are kept with the UID/GID 0. |