NFS
Source CTF and HTB Academy
TCP and UDP ports 2049 or 111
Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local. However, it uses an entirely different protocol.
Default configuration
cat /etc/exports
rw
Read and write permissions.
ro
Read only permissions.
sync
Synchronous data transfer. (A bit slower)
async
Asynchronous data transfer. (A bit faster)
secure
Ports above 1024 will not be used.
insecure
Ports above 1024 will be used.
no_subtree_check
This option disables the checking of subdirectory trees.
root_squash
Assigns all permissions to files of root UID/GID 0 to the UID/GID of anonymous, which prevents root from accessing files on an NFS mount.
Dangerous settings
insecure
Ports above 1024 will be used.
nohide
If another file system was mounted below an exported directory, this directory is exported by its own exports entry.
no_root_squash
All files created by root are kept with the UID/GID 0.
Enumeration
Nmap
sudo nmap 10.129.14.128 -p111,2049 -sV -sCsudo nmap --script nfs* 10.129.14.128 -sV -p111,2049
Mount an NFS service
sudo apt install nfs-commoninstall showmountshowmount -e 10.129.14.128show availables NFS sharesmkdir target-NFScreate a directory to mount our targetMount
sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolockmount our target in our newly created dircd target-NFStree .ls -l mnt/nfs/List Contents with Usernames & Group Namesls -n mnt/nfs/List Contents with UIDs & GUIDs
Unmount
cd ..sudo umount ./target-NFS
We can also use NFS for further escalation. For example, if we have access to the system via SSH and want to read files from another folder that a specific user can read, we would need to upload a shell to the NFS share that has the SUID of that user and then run the shell via the SSH user.
Last updated