Attack Insecure Rsync Service
Rsync Enumeration and Exploitation
Rsync is a Unix/Linux utility for transferring and syncing files across different directories on the same machine or another machine on the network. The great thing about Rsync is that it only syncs and transfers the different files — no duplicates.
If you are backing up thousands of files to your NAS server, it would be very efficient to use Rsync to sync the different files instead of copying all of them every time you add new ones. Also, if the network connection gets interrupted while syncing the files, Rsync will know where it left off and resumes where it stopped the next time you run the syncing command.
📄$_Key_Contents:
- Rsync Overview
- Highlighting the Security Issues
- Demonstration Steps
- Resources
However, the misconfiguration of this utility can lead to an easy foothold for attackers to compromise the service. An attacker can look for weak configurations like anonymous access and write permissions to gain unauthorized access to the running server.
That’s what we are going to do today 😈. We will take advantage of an insecure Rsync service and obtain a shell with SSH.
I’ll demonstrate the steps on the Fail machine from Offensive Security — Proving Grounds — Practice track.
Let’s start ….
🔧$_Demo_Steps
We will start enumerating the service to see if it requires authentication and check the user’s permissions.
To enumerate the Rsync service, we will use the Rsync tool and start listing the available shares. The tool is usually installed on Kali by default. If it is not the case, run apt-get install rsync to get it installed.
If Rsync returns with the available directories and files without asking for authentication, it means that the service allows anonymous unauthenticated access.
As seen in the above screenshot, we got a share name (fox) with no authentication needed.
Let’s see if we can upload files to the fox share as the current user. We will run rsync command again with the name of the file we want to upload.
rsync test 192.168.1.171::fox*test is the file we want upload
Excellent, the test file was uploaded successfully to the fox share.
Now, we enumerated the file share and its permission; we move to our attack vector of uploading an SSH public key to the share and gain access to the server.
I’ll create the .ssh directory and the authorized_keys file locally with below command.
mkdir .ssh && touch .ssh/authorized_keys
Then, place my machine public key into the authorized_keys file.
Upload the content of the .ssh directory to the fox share
rsync -r ./.ssh/ 192.168.129.126::fox/.ssh📍-r parameter will recursively copy the content of the local .ssh directory to the fox share
Verify we have the file in the right path, and test the authentication.
rsync -r 192.168.129.126::fox
We will run the SSH command with my machine private key, and see if we get in.
Horary!! We are able to obtain access to the server as the fox user 😃.
That’s all for today. Thanks for reading !!
🛎️ All used commands can be found at R3d-Buck3T — Notion (Scanning &Enumerating services — Rsync)
