NFS shares are not only common to come across during the OSCP and in capture the flag events like Hack The Box, but they’re also common to see during internal pentest engagements. This post intends to serve as a guide for enumerating a NFS share and different opportunities for abusing their functionality.
Note: In Linux environments, NFS is sometimes used as a home directory server.
To list the available NFS shares, you can use the following:
showmount -e <ipAddr>
To list the connected clients, you can use the following:
showmount -a <ipAddr>
Mounting NFS Shares
First, we’ll need to create a mount point in Kali.
sudo mkdir /mnt/nfs-share
Then we can mount the open share to it.
sudo mount -t nfs <ipAddr>:/<shareName> /mnt/nfs-share
Then you can change into the mounted share.
Enumerating Mounted NFS Shares
Once you’ve mounted a share (using the above steps), we’ll want to enumerate them to see what they have and what permission you have to interact with it.
Obviously you can then read/copy files, but testing to see if you can write/delete is an important step.
Can you overwrite existing files? For example, say that Web.config was present in the share. Try the following:
mv /tmp/Web.config /mnt/nfs-share/Web.config
Sometimes interacting with the share directly can be slow, so it may be helpful to run the following command. This will get a list of all the files in the share along with their associated permissions, and write that into a text document locally on your machine. This will let you search through this local file to hunt for handy files rather than querying the remote system each time.
find . -ls > /tmp/nfs-share.dir