Privilege Escalation with fail2ban nopasswd
Hello Everyone Today I am going to show you how you can escalate your privileges if you discover misconfigured Fail2ban on the server. So let’s get started!!
As shown in the above image we can see that we can run /etc/init.d/fail2ban restart without a password as the root user, We have vertical privilege escalation.run following command
find /etc -writable -ls 2>/dev/null
Here we are finding Directories where we have write access inside of /etc directories and we have a write access to /etc/fail2ban/action.d
Let’s look inside /etc/fail2ban/jail.conf to know more about how fail2ban is configured. as shown image below, ban time is 10 sec and max retry is 5
so if we try 5 failed attempts we get a ban for 10 sec
For privilege escalation, we will try 5 failed attempts with ssh to connect to the server so that we can get banned and inside of the /etc/fail2ban/action.d there is iptables-multiport.conf config file where we can write rules and commands actionstart,actionstop,actioncheck,actionban,actionunban.so when we get banned and commands inside actionban will execute.by executing
ls -la iptables-multiport.conf
Only root has write access to the file, now rename iptables-multiport.conf with iptables-multiport.conf.bak then copy iptables-multiport.conf.bak to iptables-multiport.conf so that owner of the file gets changed.
ls -la iptables-multiport.conf
mv iptables-multiport.conf iptables-multiport.conf.bak
mv iptables-multiport.conf.bak iptables-multiport.conf
ls -la iptables-multiport.conf
But we don’t have write access to the file but running following command we get read and write access to the file
chmod 666 iptables-multiport.confNow move further, I will start Netcat listener on my host machine and inside iptables-multiport.conf actionban = <Reverse shell> command then I will try 5 fail ssh login attempts When I get banned actionban will execute my reverse shell and it will connect to my listener.
When you will get ban from running ssh actionban will execute and you will get reverse shell as root.
I hope you enjoyed it.Happy Hacking!! ❤
