2049 /111 ) NFS /RPC
01. Basic Enumerations
## ------------------| Nmap Scan
sudo nmap --script nfs* -sV -p111,2049 <IP>
## ------------------| List mounts
showmount -e 10.10.10.180
## ------------------| List both the client and hostname or IP
showmount -a 10.10.10.18002. Mount option
sudo mkdir -p /mnt/remote
sudo mount -t nfs 10.10.10.180:/site_backups /mnt/remote03. Privilege Escalation
### If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system
## ------------------| Check if no_root_squash is present?
cat /etc/exports | grep no_root_squash
## ------------------| List mounts and mount it to our local machine
showmount -e <IP>
sudo mkdir -p /mnt/new
sudo mount -t nfs <IP>:/<WritableShares> /mnt/new
sudo mount -t nfs -o vers=2 <IP>:/<WritableShares> /mnt/new
### Create a SUID binary and place it. then execuite it via attackers machine.Last updated