NFS (tcp-111)
Post

NFS (tcp-111)

17/02/2023
shuciran
2

NMAP

Scan port and info on NFS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.181.201
...
111/tcp open  rpcbind
| nfs-showmount: 
|_  /var *
| nfs-statfs: 
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /var        9204224.0  1836540.0  6877088.0  22%   16.0T        32000
| nfs-ls: Volume /var
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID  GID  SIZE  TIME                 FILENAME
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  .
| rwxr-xr-x   0    0    4096  2019-09-04T12:27:33  ..
| rwxr-xr-x   0    0    4096  2019-09-04T12:09:49  backups
| rwxr-xr-x   0    0    4096  2019-09-04T10:37:44  cache
| rwxrwxrwt   0    0    4096  2019-09-04T08:43:56  crash
| rwxrwsr-x   0    50   4096  2016-04-12T20:14:23  local
| rwxrwxrwx   0    0    9     2019-09-04T08:41:33  lock
| rwxrwxr-x   0    108  4096  2019-09-04T10:37:44  log
| rwxr-xr-x   0    0    4096  2019-01-29T23:27:41  snap
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  www
|_
MAC Address: 02:8E:3F:CE:25:87 (Unknown)

Additional info on nfs scripts

1

ls -1 /usr/share/nmap/scripts/nfs*

Mount a file System

Create a directory and mount it:

1
2
3
4
5
6

mkdir home

sudo mount -o nolock 10.11.1.72:/home ~/home/

kali@kali:~$ cd home/ && ls
jenny  joe45  john  marcus  ryuu

Permissions on Mounted NFS

If you lack of permissions then it is possible to create a new user if owner has a UUID of 1014, and also read (r)write (w), and execute (x) permissions on it. What can we do with this information? Since we have complete access to our Kali machine, we can try to add a local user to it using the adduser command, change its UUID to 1014, su to that user, and then try accessing the file again:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

kali@kali:~/home/stefan$ sudo adduser pwn
Adding user 'pwn' ...
Adding new group 'pwn' (1001) ...
Adding new user 'pwn' (1001) with group 'pwn' ...
Creating home directory '/home/pwn' ...
Copying files from '/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for pwn
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n]

Based on the output above, we can see that the new user has a UUID of 1001, which is not really what we need. We can change it to 1014 using sed and confirm the change took place. The -i option is used to replace the file in-place and the -e option executes a script. In this case, that happens to be ’s/1001/1014/g’, which will globally replace the UUID in the /etc/passwd file:

1
2
3
4

sudo sed -i -e 's/1001/1014/g' /etc/passwd

cat /etc/passwd | grep pwn
pwn:x:1014:1014:,,,:/home/pwn:/bin/bash

We will use the su command to change the current login session’s owner. Then, we will use id to display our current user ID. Finally, we will try to access the file again:

1
2
3
4
5
6
7

kali@kali:~/home/marcus$ su pwn

pwn@kali:/root/home/marcus$ id
uid=1014(pwn) gid=1014 groups=1014

pwn@kali:/root/home/marcus$ cat creds.txt
Not what you are looking for, try harder!!! :O)
01 Enumeration, NFS (tcp-111)
nfs enumeration