Port 111 is associated with the Remote Procedure Call (RPC) protocol's portmapper service. The RPC portmapper service, often referred to as "rpcbind" in modern implementations.
Enumeration
# Check if rpcbind running in the subnetnmap-sV-p111--script=rpcinfo10.11.1.1-254# Check if rpcbind running on the boxnmap-sSUC-p111192.168.10.1# Login to the portrpcclient-U""10.11.1.111srvinfoenumdomusersgetdompwinfoquerydominfonetshareenumnetshareenumallquerydispinfo# rpcbind + NFSnmap-p111--scriptnfs*10.11.1.72rpcinfo-p10.11.1.111# enum NFS sharesshowmount-e10.11.1.111# show if we can mount
# Check more Port 2049 - NFSsudomount-tnfs10.11.1.111://mnt-onolock# mount remote share to local machinesudomount-tnfs-onfsvers=310.11.1.72:/home/mnt/# version3sudomount-tnfs-onfsvers=310.11.1.72:/home~/oscp/lab/10.11.1.72/home/# -o: options# -t: types# If you mount a folder which contains files or folders only accesible by some user (by UID). You can create locally a user with that UID and using that user you will be able to access the file/folder. For example, the folder permission looks like below.
# drwxr-xr-x 2 1014 1014 4096 home# drwxr-xr-x 2 1014 1014 4096 folder1cdhome/&&lssudoadduserpwnsudosed-i-e's/1001/1014/g'/etc/passwdcat/etc/passwd|greppwnsupwn