Lab Objective: Synced is a Tier 0 machine focusing on Rsync — a utility for efficiently transferring and synchronising files between a local machine and a server by comparing modification times and file sizes. When misconfigured with anonymous access, it can expose entire directories without asking for a password.
Important Considerations
- Port 873 TCP is the default Rsync port. It supports both local and remote file-copying.
- Modules — Rsync uses "modules," which are essentially directory shares. These can be configured with or without authentication. Anonymous access to modules in a professional environment can lead to significant data leaks.
- Encryption — like Telnet, Rsync does not provide transport encryption by default unless tunnelled through SSH. If misconfigured, an attacker can list, read, and sometimes write files without a password.
Enumeration
Install the Rsync client if needed: sudo apt install rsync.
Nmap scan: sudo nmap -sV [TARGET_IP].
Task 1 — What is the default port for Rsync?
Answer: 873.
Task 2 — How many TCP ports are open on the remote host?
Answer: 1.
Task 3 — What is the protocol version used by Rsync on the remote host?
Answer: 31.
Task 4 — What command lists the available modules on the target?
Answer: rsync --list-only {targetIP}::. The double colon :: contacts the Rsync daemon directly.
Establishing a Foothold
Task 5 — What is the name of the available share (module)?
Answer: public.
Task 6 — What command lists the contents of the public share?
Answer: rsync {targetIP}::public.
Task 7 — What is the name of the file found inside the share?
Answer: flag.txt. Sync it to your local machine with:
rsync {targetIP}::public/flag.txt .
The . copies the file to your current working directory.
Task 8 — Submit the Flag.
Answer: Read the flag with cat flag.txt.
Final Thoughts
- Rsync is a powerful tool, but dangerous when anonymous login is left enabled on sensitive directories.
- The
--list-onlyflag is essential when enumerating unknown Rsync targets. - Always check for modules before guessing file paths.