🖊️ Author: Nairuz Abulhul

🌐 Blog: R3dbuck3t

Table of Contents

Rsync Overview

Rsync is a fast and efficient tool for locally and remotely copying files. It can be used to copy files locally on a given machine and to/from remote hosts.

Rsync can be abused, most notably by listing the contents of a shared folder on a target server and retrieving files. This can sometimes be done without authentication. Other times we will need credentials. If you find credentials during a pentest and run into Rsync on an internal (or external) host, it is always worth checking for password re-use as you may be able to pull down some sensitive files that could be used to gain remote access to the target.

Enumeration Steps

• [ ] Check if you can retrieve files from the share with no authentication - Anonymous access
• [ ] Check the current user has writing permission on the share to upload files

Attack Vectors

• [ ] Upload files to the share - SSH Public keys
• [ ] Add a New Privileged User - check this guide
• [ ] Brute Force

Footprinting the Service

Scanning for Rsync

sudo nmap -sV -p 873 127.0.0.1

Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-09-19 09:31 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0058s latency).

PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)

Probing for Accessible Shares with Netcat

nc -nv 127.0.0.1 873

(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
#list
dev            	Dev Tools
@RSYNCD: EXIT