LINUX - NFS
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5FGDvdgulLa_oe00GUeq5BDom0q12J6Tk_l28G2-kA8i-0XDQeHZtFsChxDnEjEar0TeM-Sfges1c_7TNjp72yn1_7UYhfEZ6ZPOoUjXEODz7L1VcOk-rFlXNp-kdf6-n9h6_GcPogBvC/s1600/M2_LAYOUT.jpg)
- NFS (Network File System) is a service available on Linux systems, which function is to allow users manage of shared folders over a network. In case of misconfiguration NFS might convert into a serious vulnerability allowing attackers access to the whole system.
- The attacker discover the NFS service running on port 2049:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5hRZx87zWk5RyM-AFGoCV4CltrqMjEsmGRcSpGwdKsh3Bo_Q1eZmxMaW_A5cIMh86AnLdl6ln_Bdk4MWBB3lVUnwfJLAU4qtoVmATQ7uiuDSIY0No4krprady8ZFxl_jwMrnIirea2pPL/s1600/screenshot.1.jpg)
- showmount displays a list of exported directories from a specific machine, in this case the vulnerable victim's IP.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsJnogV6UahgwcKr5QOYXuUXdWK1R_ZWjRmNdgkeh9ktnZ_3H_qJ-OZMkay3-4LoxoWzfw2cenCprrdZljW8HsLj-eEa0D6xbb5XZ8UJaeNfnsgqi1fxt62Ush-Kx_yRlHAoS09TFjf0jc/s1600/screenshot.2.jpg)
- The result (/*) shows that even the root directory at the victim is shared, which it is actually a huge security breach, because the whole system is available to be shared by any attacker.
- As a consequence, the filesystem accessed with showmount can be mounted or attached into a temporary folder at the attacker's machine. The option nolock ensures disabling file locking:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxvjIzr9S83GrNLIkPWPtfya6w5DlSN_wR5t9A-alMtm5OWadwzXeV65g1Sj2z_Nv-q6bzRXX7bJzVMbI_0Y9Pa3BI-4DlQaZDuYbhaSs0FJG8nPW31uvFGThIm0TC1sSJyFQlayNk0OO9/s400/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR5N110A_5JOMy2Aq-4ukc1lQ5JCZKrpDW1yh2kth4PqG7ZxqTMhGbUSd3b2vyyfCoVr9inQUUlDaR885cVQQ0UF-ZKQpOiineMZzt8b04AcGI0yq4Qtrmb-o3zgiFpYACONK697WDnzf2/s1600/screenshot.4.jpg)
- A a result, the attacker can see locally the whole content of the remote system:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzonzdSvf-IUQf_2LPXtOjrDYjEuTT_POea5tsBX3DFMFudfm9n20XX3YZOo7EK720PMf645NmbHNzSmgmbF163wrTgxZ5jI2qPWgcBQKTJv5TBqVPkf8tILOzu-hB-vyH_oNsMJDL-wgw/s1600/screenshot.6.jpg)
- For instance, etc/passwd is obtained by the attacker:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDo5EHqv51GklwCogvedenxwaMxk5lxJFPgPz-8UcaR6jbANAxB_Sd_ybDFP_Ufi36nQelZ3q7y5OLFQNYuuqa2TbCXVJR0fzzKL-Z5iQy00uryiaKDHrDqkUbSCBNSTvLMR3kCSGUmRWN/s1600/screenshot.7.jpg)