# RPC & NFS | 111, 2049 ### 01. Basic Enumerations ```bash ## ------------------| Nmap Scan sudo nmap --script nfs* -sV -p111,2049 $IP ## ------------------| List mounts showmount -e $IP ## ------------------| List both the client and hostname or IP showmount -a $IP ``` ### 02. Mount option ```bash sudo mkdir -p /mnt/remote sudo mount -t nfs $IP:/ /mnt/remote sudo mount -t nfs $IP:/ /mnt/remote -o nolock sudo mount -t nfs $IP:/site_backups /mnt/remote sudo mount -t nfs $IP:/site_backups /mnt/remote -o nolock ``` ### 03. Privilege Escalation ```bash ### If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system ## ------------------| Check if no_root_squash is present? cat /etc/exports | grep no_root_squash ## ------------------| List mounts and mount it to our local machine showmount -e $IP sudo mkdir -p /mnt/new sudo mount -t nfs $IP:/ /mnt/new sudo mount -t nfs -o vers=2 $IP:/ /mnt/new ### Create a SUID binary and place it. then execuite it via attackers machine. ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/tcp/2049-nfs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.