0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • Interesting files
  • Dangerous settings

Was this helpful?

  1. Network Services
  2. Ports

2049 - NFS

Network File System or NFS is a file system protocol that allows users to share directories and files over a network. The NFS protocol is similar to the Samba protocol. However, unlike Samba, NFS provides an encryption mechanism and authentication. In addition, NFS server access is also restricted to specified hostnames and IP addresses.

If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder.

$ nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
$ showmount -e <IP>
$ mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

Interesting files

$ /etc/exports
$ /etc/lib/nfs/etab

Dangerous settings

  • Read and Write Permissions (rw): This setting allows both reading from and writing to the file system. It's essential to consider the implications of granting such broad access.

  • Use of Insecure Ports (insecure): When enabled, this allows the system to utilize ports above 1024. The security of ports above this range can be less stringent, increasing risk.

  • Visibility of Nested File Systems (nohide): This configuration makes directories visible even if another file system is mounted below an exported directory. Each directory requires its own export entry for proper management.

  • Root Files Ownership (no_root_squash): With this setting, files created by the root user maintain their original UID/GID of 0, disregarding the principle of least privilege and potentially granting excessive permissions.

  • Non-Squashing of All Users (no_all_squash): This option ensures that user identities are preserved across the system, which could lead to permission and access control issues if not correctly handled.

Last updated 10 months ago

Was this helpful?