2049 /111 ) NFS /RPC

01. Basic Enumerations

## ------------------| Nmap Scan
sudo nmap --script nfs* -sV -p111,2049 <IP>

## ------------------| List mounts
showmount -e 10.10.10.180

## ------------------| List both the client and hostname or IP
showmount -a 10.10.10.180

02. Mount option

sudo mkdir -p /mnt/remote
sudo mount -t nfs 10.10.10.180:/site_backups /mnt/remote

03. Privilege Escalation

### If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system         
## ------------------| Check if no_root_squash is present?
cat /etc/exports | grep no_root_squash

## ------------------| List mounts and mount it to our local machine
showmount -e <IP>
sudo mkdir -p /mnt/new
sudo mount -t nfs <IP>:/<WritableShares> /mnt/new
sudo mount -t nfs -o vers=2 <IP>:/<WritableShares> /mnt/new

### Create a SUID binary and place it. then execuite it via attackers machine.

Last updated