Abusing Rsync misconfiguration to get persistent access via SSH
Today while I was doing a boot2root challenge, I came across a box that was so much fun, it was not hard, but the way it made me think outside of the box made me like it a lot. So here’s a two-part article on how I did this box. The first part is Abusing the Rsync protocol to get persistent access via SSH, and the second one will be Abusing Fail2ban misconfiguration to get root privileges.
Let’s start, shall we?
Running Nmap for TCP ports showed me only two ports open ssh, and sync.
Not too much attack surface. At this stage, I ran an RDP scan in the background while trying to look at rsync.
From Wikipedia, rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification times and sizes of files.
Rsync is typically used for synchronizing files and directories between two different systems. For example, if the command rsync local-file user@remote-host:remote-file is run, rsync will use SSH to connect as user to remote-host. Once connected, it will invoke the remote host's rsync and then the two programs will determine what parts of the local file need to be transferred so that the remote file matches the local one.
Rsync can also operate in a daemon mode (rsyncd), serving and receiving files in the native rsync protocol (using the “rsync://” syntax).
After having a general understanding of the rsync protocol let’s try to see what shares are hosted on rsync. For this, we just reply with the same banner of rsync (@RSYNCD: 31.0) and then send (#list) to the server.
We have only one shared folder which is fox, and the comment tells us that it’s fox’s home. Another way of finding shared folders is to use the rsync daemon
The second step will be to determine whether accessing the shared folder requires authentication or not. To do this we simply send the name of the share we want to access and if we get OK that means no authentication is required.
It looks like no authentication is required which means we can copy files from the shared folder.
We copied the content of the shared folder fox into a local folder on our machine called shared_files.
The files within the fox folder look like the files found on a home directory of a Linux machine, and it was also hinted in the comment above when we first discovered the fox folder.
At this stage, I took a step back and reviewed what I got from my Nmap scan. SSH was open, maybe if I upload a .ssh folder into the shared fox folder I can SSH as fox in the box.
Let’s start by generating ssh keys, and copy the public key into authorized_keys inside .ssh folder on our box. Then make the private key secure(chmod 600)
Now that we have everything in place let’s upload .ssh folder to the shared folder fox, and then ssh with fox
That was the first part. The second one will be about privilege escalation via Fail2ban
