> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/nfs/trick-0045.md).

# NFS UID Spoofing for Access Bypass

***

On vulnerable NFS shares (those not properly configured with `root_squash` or relying solely on UID/GID mapping), you can bypass file permissions by impersonating a remote user. This is done by creating a local user and group with the same UID and GID as the owner of the files you want to access on the remote share.

First, identify potential shares using `showmount` and then mount them. The `showmount` command is used to show mount information for an NFS server. With the `-e` flag, it will show the server's export list.

```bash
showmount -e <target_ip>
```

If an interesting share is found, it can be mounted to the local machine. Root privileges are needed to mount the share.

```bash
sudo mount -t nfs <target_ip>:/remote/path /local/mountpoint
```

It's important to understand the server's export configuration. If the share is exported with the `no_root_squash` option, the root user on the client machine will have root privileges on the server machine for that share. This is a serious misconfiguration. If the share is exported with `root_squash` (which is the default and more secure option), root on the client machine will be mapped to the `nobody` user on the server machine. However, other users on the client machine will have the same privileges as users with the same UID/GID on the server machine. This means a user can be created on the local machine with the same UID/GID as a user on the server machine and access files as that user.

Once mounted, navigate to the mounted directory and list the contents using `ls -la` to check permissions and ownership, specifically identifying the UID and GID of the target files or directories.

```bash
ls -la /local/mountpoint
```

Using the identified `<Remote_UID>` and `<Remote_GID>`, create a local user and group with those exact IDs.

```bash
sudo useradd fakeuser
sudo usermod -u <Remote_UID> fakeuser
sudo groupmod -g <Remote_GID> fakeuser
```

Finally, switch to this newly created local user. When accessing the mounted NFS share as `fakeuser`, the local UID/GID will match the remote user's, potentially granting access to files and directories owned by that remote user.

```bash
sudo su fakeuser
```
