Rsync [873]

Info

Rsync is a fast and efficient tool for locally and remotely copying files. It can be used to copy files locally on a given machine and to/from remote hosts.

Guide

This guide covers some of the ways Rsync can be abused, most notably by listing the contents of a shared folder on a target server and retrieving files. This can sometimes be done without authentication. Other times we will need credentials. If you find credentials during a pentest and run into Rsync on an internal (or external) host, it is always worth checking for password re-use as you may be able to pull down some sensitive files that could be used to gain remote access to the target.

Nmap Rsync

z3tssu@htb[/htb]$ sudo nmap -sV -p 873 127.0.0.1

Probing for accessible shares

We can next probe the service a bit to see what we can gain access to.

Linux Remote Management Protocols

z3tssu@htb[/htb]$ nc -nv 127.0.0.1 873

(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
#list
dev            	Dev Tools
@RSYNCD: EXIT

Enumerating Accessible Share

rsync -av --list-only rsync://127.0.0.1/dev

rsync rsync://10.129.225.48/ --list-only

Syncing Shares to our Attacker Machine

we could sync all files to our attack host with the command

rsync -av rsync://127.0.0.1/dev.

If Rsync is configured to use SSH to transfer files, we could modify our commands to include the -e ssh flag, or -e "ssh -p2222" if a non-standard port is in use for SSH. This guide is helpful for understanding the syntax for using Rsync over SSH.

Downloading Contents of a Share

rsync rsync://10.129.225.48/public/flag.txt .