> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-10/filesystem/trick-0359.md).

# Mount NFS Share via SSH Tunnel

***

Access a remote NFS share that isn't directly exposed to your network by tunneling the connection through an active SSH session. Configure the local mount command to direct traffic to the local end of the SSH tunnel (typically via `127.0.0.1` and the local forwarded port). This requires `sudo` privileges on the attacker machine to mount file systems.

NFS relies on the portmapper service (rpcbind/portmap), which typically runs on TCP and UDP port 111, in addition to the NFS service itself, which commonly runs on TCP and UDP port 2049. Therefore, when tunneling NFS, it is often necessary to forward both the portmapper port and the NFS port through the SSH tunnel.

For example, to tunnel the remote portmapper (111) to your local port 111 and the remote NFS service (2049) to your local port 1111, you could use a command like this, potentially running in the background with `-f -N`:

```bash
ssh -f -N -L 111:remote_nfs_server_ip:111 -L 1111:remote_nfs_server_ip:2049 user@ssh_server_ip
```

Once the tunnel is established, if the target machine has an NFS export at `/home/james`, you would mount it locally using the forwarded NFS port:

```bash
sudo mount -o port=1111 -t nfs 127.0.0.1:/home/james /home/d0n/ctf/overpass3
```

In this mount command, `127.0.0.1` refers to the local machine where the tunnel terminates, and `port=1111` specifies the local port that forwards traffic to the remote NFS service. The client should then be able to utilize the portmapper tunneled to local port 111.
