Next we will be going through the Footprinting NFS questions in the Hack The Box Module Footprinting. As usual, the answers are redacted, but please feel free to follow along for exlainations!

1. Enumerate the NFS service and submit the contents of the flag.txt in the “nfs” share as the answer.

As always we are going to start with an nmap that targets the NFS ports (111, 2049):

sudo nmap -sC -sV 10.129.134.185 -p111,2049 -oA nfs
[sudo] password for dclancey: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 21:03 EDT
Nmap scan report for 10.129.134.185
Host is up (0.085s latency).

PORT     STATE SERVICE VERSION
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
<SNIP>
2049/tcp open  nfs     3-4 (RPC #100003)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.68 seconds

Now that we have confirmed that NFS is running, we can mount the share and look for the flag in the nfs share:

showmount -e 10.129.134.185                                      
Export list for 10.129.134.185:
/var/nfs      10.0.0.0/8
/mnt/nfsshare 10.0.0.0/8

sudo mount -t nfs 10.129.134.185:/ ./target-nfs -o nolock                                                                                                
┌──(dclancey㉿kali)-[~/htb/academy/footprinting]
└─$ ls -la target-nfs/var           
total 12
drwxr-xr-x 14 root   root    4096 Nov  8  2021 .
drwxr-xr-x 20 root   root    4096 Mar 15 11:09 ..
drwxr-xr-x  2 nobody nogroup 4096 Nov  8  2021 nfs
                                                                            
┌──(dclancey㉿kali)-[~/htb/academy/footprinting]
└─$ ls -la target-nfs/var/nfs 
total 12
drwxr-xr-x  2 nobody nogroup 4096 Nov  8  2021 .
drwxr-xr-x 14 root   root    4096 Nov  8  2021 ..
-rw-r--r--  1 nobody nogroup   39 Nov  8  2021 flag.txt
                                                                       
┌──(dclancey㉿kali)-[~/htb/academy/footprinting]
└─$ cat target-nfs/var/nfs/flag.txt
[Redacted Flag]

2. Enumerate the NFS service and submit the contents of the flag.txt in the “nfsshare” share as the answer.

We do the same as above only looking for the nfsshare share:

┌──(dclancey㉿kali)-[~/htb/academy/footprinting]
└─$ ls -la target-nfs/mnt/nfsshare/      
total 12
drwxr-xr-x 2 nobody nogroup 4096 Nov  8  2021 .
drwxr-xr-x 3 root   root    4096 Nov  8  2021 ..
-rw-r--r-- 1 nobody nogroup   59 Nov  8  2021 flag.txt
                                                                                                                    
┌──(dclancey㉿kali)-[~/htb/academy/footprinting]
└─$ cat target-nfs/mnt/nfsshare/flag.txt 
[Redacted Flag]