π Rsync
Rsync (Remote Sync) is a file synchronization tool running on port 873. Misconfigured anonymous access to shared directories (modules) is a common finding. This guide covers what we've practiced.
Quickstart β Module enumeration and exfiltration¶
# List available modules β the first thing to test
$ rsync 10.129.1.10::
# Download everything from a module
$ rsync -av 10.129.1.10::module_name ./local-destination/
# List contents of a module without downloading
$ rsync --list-only 10.129.1.10::module_name
# Download a single file
$ rsync -av 10.129.1.10::public/flag.txt ./flag.txt
Essential commands¶
| Command | What it does |
|---|---|
rsync <host>:: |
List available modules (no auth) |
rsync <host>::<module> |
List files inside a module |
rsync -av <host>::<module> ./dest/ |
Download module contents |
rsync --list-only <host>::<module> |
List without downloading |
Useful Nmap Scripts¶
# List rsync modules (most useful script)
nmap --script rsync-list-modules -p873 10.129.1.10
# Full service + version detection
nmap -sV -p873 10.129.1.10
CTF Workflow¶
- Scan port β
nmap -sCV -p873 10.129.1.10 - List modules β
rsync 10.129.1.10:: - Explore module β
rsync --list-only 10.129.1.10::public - Download β
rsync -av 10.129.1.10::public ./output/
Rsync Security Notes¶
- Anonymous access is the critical misconfiguration β without
auth usersinrsyncd.conf, anyone can read (and potentially write) files - We saw it on: Synced (rsync protocol 31, anonymous
publicmodule, flag inflag.txt)
π Related¶
Machines: [[π Synced]]
Guides: [[ποΈ FTP]]