HTB Labs — Tier 0 — “Synced” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 0, named “Synced”. Synced is one of the VIP labs in HackTheBox — Tier 0— Starting Point Phase. This machine strengthens your skills in exploring how you can use the powers of the rsync tool to copy files remotely.
The key advantages of rsync are its efficiency, flexibility, and support for a wide range of file transfer scenarios, from simple backups to complex synchronization tasks. It is a widely used tool in system administration, IT operations, and data management workflows.
Executive Summary
Here is an executive summary of the steps we will follow:
Stage I: Scanning
The scanning phase quickly reveals a minimal attack surface: the Synced machine exposes only a single TCP service on port 873, running the rsync protocol (version 31). With no additional open ports or alternative services, this immediately suggests that the compromise will center entirely around rsync’s configuration and its remote file-access capabilities.
Upon the Nmap scan, we will find the following information
- Service Running: rsync Protocol
- Service Version: version 31
- Exposed Port: 873
Stage II: Enumeration
Enumeration focuses on interacting with the rsync service to identify accessible shares and determine what level of authentication is required. The service accepts anonymous access, allowing unrestricted viewing of exposed modules. By listing available shares, the assessment identifies a publicly accessible directory named public, which contains accessible files. This confirms that the rsync server is misconfigured to allow unauthenticated, read-only browsing of sensitive content, making it an ideal target for data extraction.
Stage III: Exploiting
Exploitation requires no advanced techniques due to the server’s permissive configuration. Once the public rsync share is identified, the contents can be remotely retrieved through anonymous access. The exposed flag.txt file can be directly copied from the target into the attacker’s local environment. Reading this file completes the machine compromise.
Let’s see how we can exploit it …
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: What is the default port for rsync?
Answer: 873
Walkthrough:
Rsync is a protocol used for efficient file transfer and synchronization. When using rsync, the default behavior is to use an unprivileged port in the range of 1024:65535. However, the standard port assigned to the rsync protocol is 873.
The default port 873 allows rsync clients to connect to rsync servers without root privileges. While port 873 is the standard port for the rsync protocol, rsync can be configured to use other ports in case the default port is blocked by the firewall.
Task 2: How many TCP ports are open on the remote host?
Answer: 1
Walkthrough:
As Usual, we will perform Nmap scanning to the host to learn more about the services and the corresponding ports.
nmap -sV -T4 -vv -Pn -p- 10.129.228.37 Let’s break down the command to learn more about its flags and their usage.
- -sV Flag: It performs a version scanning, which attempts to determine the version of the services running on the target. It provides more information about the software and the services running on the target’s host.
- -p- Flag: This option tells Nmap to scan all the ports in the range 1:65535. You can write this flag in another method as well, “-p0–65535”
- -Pn Flag: This option tells Nmap to treat all the hosts as online and skip any discovery phase. In most cases, when initiating the Nmap scanning, it starts to see whether the target is alive or not before sending any recon packets. Many targets are configured to drop any discovery packages, which causes packages to drop, and the scanning will be unsuccessful. -The Pn flag will escape this discovery process and begin sending the recon packets.
- -T4: This option sets the timing template to “Aggressive”. This makes Nmap scan the target more quickly. Be careful not to use this in real life, because this option is noisier and more likely your scan will be detected by the target system’s firewall, which may drop your recon packets, kill your connection, and block your IP.
- -vv: This means setting the verbosity level to “Very Verbose”, which means that Nmap will show you the result of the scan process at each scanning stage. You may notice there is a lot of information in the previous screenshot, This is because I typed -vv.

As shown in the screenshot, we can find that there is only one service is running on port 873 and it is called “rsync”.
Task 3: What is the protocol version used by rsync on the remote machine?
Answer: 31
Walkthrough:
According to the scanning phase we prompted in the first task, the -sV flag has given us the version of the services that are running. It shows us that the version of the rsync is 31.
Task 4: What is the most common command name on Linux to interact with rsync?
Answer: rsync
Walkthrough:
The rsync command is the primary interface to use the rsync utility for file transfer and synchronization tasks. The basic rsync command used is as follows:
rsync [options] source destinationLet’s break down the command used:
- [rsync]: This is the command used for interacting using the rsync protocol through port 873
- [Options]: Many options/flags are found when typing the ( — help) command or (-h).
- [Source]: it is going to be the target, which is the database that you interact with using the rsync protocol. Put here the IP of the target.
- [Destination]: Place here the directory you want to copy the file to.

Task 5: What credentials do you have to pass to rsync to use anonymous authentication? anonymous: anonymous, anonymous: None, rsync:rsync
Answer: none
Walkthrough:
To use anonymous authentication with rsync, you would pass the following credentials:
- anonymous: anonymous
- anonymous: none
- rsync: rsync
This specifies the username as “anonymous” and the password as “anonymous” or “none”. This allows you to connect to the rsync server anonymously without providing any specific credentials.
Task 6: What is the option to only list shares and files on rsync? (No need to include the leading — characters)?
Answer: — list-only
Walkthrough:
As shown in the following screenshot, and from the man page of the tools “rsync”, you can identify that the option that is used to list shares and files is ( — list-only)

Note that: To easily find any option or flag and their usage, you can make use of the “— help” command. To find a specific flag, use the “grep” command.

To list the contents of the database, write the following command
rsync --list-only rsync://10.129.26.218
We just need to add the /public at the end of the URL syntax to list its contents as shown.
Task 7: Submit the root flag
Answer: 72eaf5344ebb84908ae543a719830519
Walkthrough:
As we discussed in the very beginning, the basic rsync command used is:
rsync [options] [source] [Destination]Thus, the command that will be used to copy the flag.txt is
rsync rsync://10.129.228.37/public/flag.txt .This means I am asking rsync protocol to copy the txt file that is called flag.txt that is found at target’s IP, under the public Page.
The destination of the copied text file will be the same directory I am currently in, which is [/home/kali/Desktop]. That is why I typed “.”
It means copying to my current working directory.

After copying the flag.txt file from the server, we can fetch its content using the cat command.
cat flag.txt
Hope you enjoyed reading my blog about solving Synced machine from HTB — Tier 0 — Starting Point Phase.
See You in another write-up!


