# NFS

## Background:

**Network File System:** allows a user on a client computer to access files over a computer network as if they were on locally-mounted storage.<br>

**Portmapper and RPCbind:** run on TCP port 111. RPCbind maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number (often TCP port 2049) so it can communicate with the requested service. We can scan these ports with nmap using the following syntax below.

## Scans:

**Scan for NFS open:**\
`#`<mark style="color:green;">`nmap -v -p 111 10.11.1.1-254`</mark>\
\
**Rpcinfo to find services that may have registered with rpcbind:**\
`#`<mark style="color:green;">`nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254`</mark>\
\
**NMAP NSE for NFS:**\
`#`<mark style="color:green;">`nmap -p 111 --script nfs* 10.11.1.72`</mark>

![](/files/-Mcql_KrDAZYZuNNn7vD)

If we get a result like this where we have a directory we can mount then the synax is:\
`#`<mark style="color:green;">`mount -o noclock 10.11.1.72:/home ~/home/`</mark> //<mark style="color:yellow;">-o</mark> nolock is used to disable file locking\
`#`<mark style="color:green;">`cd home/ && ls`</mark>

![](/files/-McqlTCB0Ilt_9XvV8Ap)

We got denied the file read so we decide to try and add a user with the same UUID of 1014.\
\#sudo adduser pwn //we automatically got assigned the 1001 user so we will need to change it to 1014 to read the file.\
\
`#`<mark style="color:green;">`sudo sed -i -e 's/1001/1014/g' /etc/passwd`</mark> //<mark style="color:yellow;">-i</mark> inline replace, <mark style="color:yellow;">-e</mark> execute script\
check with:\
`#`<mark style="color:green;">`cat /etc/passwd | grep pwn`</mark>\
`#`<mark style="color:green;">`su pwn`</mark>\
`#`<mark style="color:green;">`id`</mark>

## NSE Scripts:

| [nfs-ls](https://nmap.org/nsedoc/scripts/nfs-ls.html)               | Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of `ls`.         |
| ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| [nfs-showmount](https://nmap.org/nsedoc/scripts/nfs-showmount.html) | Shows NFS exports, like the `showmount -e` command.                                                                             |
| [nfs-statfs](https://nmap.org/nsedoc/scripts/nfs-statfs.html)       | Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of `df`. |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/initial-access/services/nfs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.