Hi everyone
Today we are going to look for a Box called Synced which is rated as very easy in terms of difficulty. This machine has three phases: Recon, Enumeration and Exploitation.
- BOX Questions
- Task 1 What is the default port for rsync?
- Task 2 How many TCP ports are open on the remote host?
- Task 3 What is the protocol version used by rsync on the remote machine?
- Task 4 What is the most common command name on Linux to interact with rsync?
- Task 5 What credentials do you have to pass to rsync in order to use anonymous authentication? anonymous:anonymous, anonymous, None, rsync:rsync
- Task 6 What is the option to only list shares and files on rsync? (No need to include the leading — characters)
- Recon & Enumeration
- Exploitation
- Key Takeaways
There are various tasks that needs to be completed to solve the entire Machine/Box.
BOX Questions
Task 1 What is the default port for rsync?
873
Task 2 How many TCP ports are open on the remote host?
1
Task 3 What is the protocol version used by rsync on the remote machine?
31
Task 4 What is the most common command name on Linux to interact with rsync?
rsync
Task 5 What credentials do you have to pass to rsync in order to use anonymous authentication? anonymous:anonymous, anonymous, None, rsync:rsync
None
Task 6 What is the option to only list shares and files on rsync? (No need to include the leading — characters)
list-only
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
sudo nmap -sV Target_IP
The above output shows that Port 873 is open, and rsync service is running on that port.
rsync:
Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally,
to/from another host over any remote shell, or to/from a remote rsync daemon. It offers
a large number of options that control every aspect of its behavior and permit very
flexible specification of the set of files to be copied. It is famous for its deltatransfer algorithm, which reduces the amount of data sent over the network by sending
only the differences between the source files and the existing files in the
destination. Rsync is widely used for backups and mirroring and as an improved copy
command for everyday use.
Exploitation
Let’s move ahead and connect to rsync:
rsync –list-only {target_IP}:: Using this command, we can see that there is a public directory with the description as Anonymous Share.
Now let’s go ahead and access that public share with the following command:
rsync –list-only {target_IP}::public
We observe that the public share has a file named flag.txt. Copying and syncing this file to our local computer is our final step. To accomplish that, we merely declare the SRC as public/flag.txt and use the standard syntax.
the file to our local computer using the DEST as flag.txt.We observe that the public share has a file named flag.txt. Copying or syncing this file to our local computer is our final step. To accomplish that, we merely follow the standard format, transferring the file to our local system by specifying the DEST as flag.txt and the SRC as public/flag.txt.
Submit root flag
And we got the flag value inside the flag.txt file.
Key Takeaways
- Always enumerate properly.
- Implement proper authentication/
- Disable Anonymous modules.
- Enable encryption like rsync over SSH.
If you enjoyed this post, share it with your friends and colleagues!