NFS (2049, 111)

Nmap

nmap 10.129.14.128 -p111,2049 -sV -sC

nmap --script nfs* 10.129.14.128 -sV -p111,2049

[Apr 05, 2024 - 02:07:39 (EDT)] exegol-CPTS /workspace # locate -r nse$|grep nfs
/usr/share/nmap/scripts/nfs-ls.nse
/usr/share/nmap/scripts/nfs-showmount.nse
/usr/share/nmap/scripts/nfs-statfs.nse

Dangerous settings

Option	Description
rw	Read and write permissions.
insecure	Ports above 1024 will be used.
nohide	If another file system was mounted below an exported directory, this directory is exported by its own exports entry.
no_root_squash	All files created by root are kept with the UID/GID 0.

Available NFS Shares

$ showmount -e 10.129.14.128

Export list for 10.129.14.128:
/mnt/nfs 10.129.14.0/24

NXC

nxc nfs [IP] --shares

nxc nfs [IP] --enum-shares

Mounting NFS share

$ mkdir target-NFS
$ sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock
$ cd target-NFS
$ tree .

.
└── mnt
    └── nfs
        ├── id_rsa
        ├── id_rsa.pub
        └── nfs.share

2 directories, 3 files

/!\ fonctionne pas sous Exegol - sous Ubuntu ok:

osboxes@osboxes:~/Desktop$ sudo apt-get install nfs-common
osboxes@osboxes:~/Desktop$ sudo mount -t nfs 10.129.202.5:/ ./target-NFS/
osboxes@osboxes:~/Desktop$ tree target-NFS/
target-NFS/
├── mnt
│   └── nfsshare
│       └── flag.txt
└── var
    └── nfs
        └── flag.txt

5 directories, 2 files

Unmounting

0xss0rz@htb[/htb]$ cd ..
0xss0rz@htb[/htb]$ sudo umount ./target-NFS

If "Device is busy": sudo umount -l ./Desktop/target-NFS

Upload / Download File with NetExec

NetExec nfs <ip> --get-file /home/user/Desktop/test/test.txt test.txt

NetExec nfs <ip> --put-file test2.txt /home/user/Desktop/