PG: Fail
| ターゲット // Fail | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Linux |
| Difficulty | Medium |
| IP | 192.168.100.126 |
Enumeration#
Nmap#
▶ Nmap output
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
873/tcp open rsync (protocol version 31)
Two ports. SSH accepts both pubkey and password auth but we have no creds, so it stays shut for now. That leaves rsync on 873 – a daemon that ships wide open more often than it should.
Port 873 - rsync#
Listing modules exposes a single share, fox, described as “fox home”:
| |
Anonymous access is allowed, and the module maps straight onto the fox user’s home directory:
| |
An anonymously reachable home directory with a .ssh folder is the whole ballgame – if the module is writable, we own fox.
Foothold#
rsync → SSH key injection#
The module is read/write, so pull the share down, append our own public key to authorized_keys, and push it back:
| |
With the key in place, SSH straight in as fox:
| |
Foothold as fox.
Privilege Escalation#
Writable fail2ban action template#
Two facts fall out of local enumeration: root is permitted to log in over SSH, and fail2ban is running – on a box literally named Fail. Root + fail2ban + that hostname is the arrow pointing at the privesc path.
fail2ban watches the auth logs and, when an IP trips its threshold, runs the ban/unban commands defined in the action.d/ templates – as root. On this host the active iptables-multiport.conf template is writable by fox, so we can splice arbitrary commands into it. Here the action is doctored to loosen /etc/shadow and fire off a netcat reverse shell:

Then trip the jail with a burst of failed SSH logins. fail2ban registers the offending IP, executes the tampered action as root, and our payload runs with it – yielding a root shell (and a world-readable /etc/shadow to crack offline for good measure).
Proof#

Also lifted off the box: the rsync daemon secret from /etc/rsyncd.secrets – fox:f1bddf02cd53fab415c1b46853072f6a.
Key Takeaways#
- An anonymous, writable rsync module that maps to a user’s home is instant compromise – drop a key into
.ssh/authorized_keysand SSH in. Always list modules withrsync --list-only rsync://host/and test read/write on 873. - fail2ban runs its
action.d/templates as root. If a low-priv user can write those files, that’s a direct root primitive: inject a command, then trigger a ban to execute it. - The box name is the hint. “Fail” == fail2ban – OffSec rarely names a box for nothing.