R3d Buck3T
Published in

R3d Buck3T

Attack Insecure Rsync Service

Rsync Enumeration and Exploitation

https://unsplash.com/photos/FYStJfirHnQ — freestocks

Rsync is a Unix/Linux utility for transferring and syncing files across different directories on the same machine or another machine on the network. The great thing about Rsync is that it only syncs and transfers the different files — no duplicates.

If you are backing up thousands of files to your NAS server, it would be very efficient to use Rsync to sync the different files instead of copying all of them every time you add new ones. Also, if the network connection gets interrupted while syncing the files, Rsync will know where it left off and resumes where it stopped the next time you run the syncing command.

📄$_Key_Contents:

  • Rsync Overview
  • Highlighting the Security Issues
  • Demonstration Steps
  • Resources

However, the misconfiguration of this utility can lead to an easy foothold for attackers to compromise the service. An attacker can look for weak configurations like anonymous access and write permissions to gain unauthorized access to the running server.

That’s what we are going to do today 😈. We will take advantage of an insecure Rsync service and obtain a shell with SSH.

I’ll demonstrate the steps on the Fail machine from Offensive Security — Proving Grounds — Practice track.

Let’s start ….

🔧$_Demo_Steps

We will start enumerating the service to see if it requires authentication and check the user’s permissions.

To enumerate the Rsync service, we will use the Rsync tool and start listing the available shares. The tool is usually installed on Kali by default. If it is not the case, run apt-get install rsync to get it installed.

If Rsync returns with the available directories and files without asking for authentication, it means that the service allows anonymous unauthenticated access.

As seen in the above screenshot, we got a share name (fox) with no authentication needed.

Let’s see if we can upload files to the fox share as the current user. We will run rsync command again with the name of the file we want to upload.

rsync test 192.168.1.171::fox*test is the file we want upload
testing the file upload permissions

Excellent, the test file was uploaded successfully to the fox share.

Now, we enumerated the file share and its permission; we move to our attack vector of uploading an SSH public key to the share and gain access to the server.

I’ll create the .ssh directory and the authorized_keys file locally with below command.

mkdir .ssh && touch .ssh/authorized_keys
create ssh directory and authorized_keys file

Then, place my machine public key into the authorized_keys file.

Upload the content of the .ssh directory to the fox share

rsync -r ./.ssh/ 192.168.129.126::fox/.ssh

📍-r parameter will recursively copy the content of the local .ssh directory to the fox share

Verify we have the file in the right path, and test the authentication.

rsync -r 192.168.129.126::fox

We will run the SSH command with my machine private key, and see if we get in.

Horary!! We are able to obtain access to the server as the fox user 😃.

That’s all for today. Thanks for reading !!

🛎️ All used commands can be found at R3d-Buck3T — Notion (Scanning &Enumerating services — Rsync)

--

--

--

R3d Buck3T focuses on Penetration Testing & Vulnerability Assessment (Red Teaming).My goal is to document what I learn, and share the knowledge with the InfoSec Community

Recommended from Medium

Aurum Road Map 2021

SICKOS:1.2 Vulnhub Walkthrough

Phone Security in 2019: Avoiding The Obvious And Not-So-Obvious Privacy Pitfalls of Phones and Apps

Feathered Cap Club

Reynolds And Reynolds Era Access User Manual

Hackers Hour CTF

Do you want to use a free VPN that doesn’t track you?

Do you want to use a free VPN that doesn't track you?

Who let the Dogs Out — Active Directory Domain Enumeration & Exploitation using BloodHound

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nairuz Abulhul

Nairuz Abulhul

I spend 70% of the time reading security stuff and 30% trying to make it work !!! aka Pentester >>Security Researcher

More from Medium

Attacking Kerberos Constrained Delegation

CTF Write-Up: Evolution

PrivateLoader to Anubis Loader

1CAT CTF Writups (Մաս #1) — — Granny, MorisoCodvoram, Quack