{"id":386,"date":"2019-09-08T14:49:51","date_gmt":"2019-09-08T12:49:51","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=386"},"modified":"2021-01-09T14:00:16","modified_gmt":"2021-01-09T13:00:16","slug":"nfs","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=386","title":{"rendered":"<span class=\"caps\">NFS<\/span> Network File System"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Dis\u00adplays all avail\u00adable net\u00adwork shares:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">showmount -e $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Nor\u00admal&nbsp;mount<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mount -t nfs $target:\/home \/mnt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Mount\u00ading with <a href=\"https:\/\/github.com\/bonsaiviking\/NfSpy\">nfspy<\/a> \u2014 with the hide option, it mounts and unmounts for the serv\u00ader so the vic\u00adtim can\u00adnot see the new con\u00adnec\u00adtion via showmount.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nfspy -o server=192.168.1.124:\/home,hide,allow_other,ro,intr \/mnt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Mount via&nbsp;<span class=\"caps\">SSH<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -N -L 3049:localhost:2049 user@hostname\nmount -t nfs -o port=3049 -o proto=tcp localhost:\/home \/mnt<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Notes<\/h1>\n\n\n\n<ul class=\"wp-block-list\"><li>If you could mount a share but don\u2019t have access to files, cre\u00adate on the host sys\u00adtem an user or a gid and access with this&nbsp;user.&nbsp;<ul><li>If this not direct\u00adly works, try to mount in anoth\u00ader <span class=\"caps\">NFS<\/span> ver\u00adsion (<a href=\"https:\/\/blog.christophetd.fr\/write-up-vulnix\/\">here is the expla\u00adna\u00adtion<\/a>), e.g.<\/li><li> <pre># mount -t nfs -o vers=3 $target:\/home \/mnt<\/pre>  <\/li><\/ul><\/li><li>Attack idea: <ul><li>Access a <span class=\"caps\">NFS<\/span> share and add a <span class=\"caps\">SUID<\/span>&nbsp;bit.<\/li><li>On the vic\u00adtim, access this pro\u00adgram \/ file to get&nbsp;root!&nbsp;<\/li><\/ul><\/li><li><span class=\"caps\">NFS2<\/span> does\u00adn\u2019t sup\u00adport authen\u00adti\u00adca\u00adtion! <strong>Try vers=2<\/strong> !<\/li><li>Behind prox\u00ady\u00adchains? <ul><li><a href=\"https:\/\/medium.com\/@sebnemK\/how-to-bypass-filtered-portmapper-port-111-27cee52416bc\">Have a look to this arti\u00adcle in com\u00adbi\u00adna\u00adtion with portmap!<\/a> <\/li><\/ul><\/li><\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Links<\/h1>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/blog.netspi.com\/linux-hacking-case-studies-part-2-nfs\/\"><span class=\"caps\">NFS<\/span> hack\u00ading<\/a><\/li><li><a href=\"https:\/\/www.errno.fr\/nfs_privesc.html\">Exploit\u00ading&nbsp;<span class=\"caps\">NFS<\/span><\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Dis\u00adplays all avail\u00adable net\u00adwork shares: show\u00admount \u2011e $tar\u00adget Nor\u00admal&nbsp;mount mount \u2011t nfs $target:\/home \/mnt Mount\u00ading with nfspy \u2014 with the hide option, it mounts and unmounts for the serv\u00ader so the vic\u00adtim can\u00adnot see the new con\u00adnec\u00adtion via show\u00admount. nfspy \u2011o server=192.168.1.124:\/home,hide,allow_other,ro,intr \/mnt Mount via&nbsp;<span class=\"caps\">SSH<\/span> ssh \u2011N \u2011L 3049:localhost:2049 user@hostname mount \u2011t nfs \u2011o port=3049 [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[50,107,108,106,109],"class_list":["post-386","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-enumeration","tag-file-system","tag-network-file-system","tag-nfs","tag-showmount"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=386"}],"version-history":[{"count":15,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/386\/revisions"}],"predecessor-version":[{"id":2097,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/386\/revisions\/2097"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}