PrivEsc

So we know faile2ban service is running. I checked the GTFObins but nothing there on fail2ban. So after some googling I found exactly what I needed. This blog post explains how to exploit fail2ban service to escalate privileges.

We basically need two conditions that needs to be met:

1. We need write permission to /etc/fail2ban/action.d/iptables-multiport.conf

2. We need a way to restart the service, which do not ask for passwords.

The second condition is already met as we see we can run restart without a password with sudo.

For the first condition,

michael@trick:/etc/fail2ban/action.d$ id
uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)
michael@trick:/etc/fail2ban/action.d$ ls -la
total 288
drwxrwx--- 2 root security  4096 Feb  5 18:15 .
drwxr-xr-x 6 root root      4096 Feb  5 18:15 ..

That file cannot be directly edited as it is not writable by us, but we do have ownership of the directory. So we can move the original .conf file into .conf.bak and copy it to a new .conf file that we are now the owner of and edit it.

mv iptables-multiport.conf iptables-multiport.conf.bak
cp iptables-multiport.conf.bak iptables-multiport.conf
nano iptables-multiport.conf

I commented out the original actionban and replaced it with:

It will create a bash file with SUID bit set so we can run it as root. For this file to be created we first need to get banned.

Checking the maxretry value:

So we get banned after 5 retries. Easiest way to do it is by using hydra:

If all goes well it will create a bash file and we have to run it with -p to get a root shell.