# Fail2ban Privilege Escalation

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Seeing as this was what fred had access to, I had to research it and any privilege escalations I can find regarding it.&#x20;

![](/files/WtuI91F7u0obl1BK3LqF)

What I found from - <https://grumpygeekwrites.wordpress.com/2021/01/29/privilege-escalation-via-fail2ban/>

"There are two things **actionban** and **actionunban**. If we have write access to this file, we can add our malicious command and escalate our privileges."

Needed to check if it was still running on the machine i SSH'd into.&#x20;

![](/files/5etlbb55kRod3oXcWyyq)

Seeing as it is still running, I changed directories to fail2ban

![](/files/bQsptVYyDVIYoynpxlMq)

changed directories to action.d

When i changed Directories to action and then listed everything. I could see that fred owned a file..

![](/files/Xcz9zk7LAxVUzykrR1IY)

Once i vim'd into the "iptables-multiport.conf" file&#x20;

![before picture of the vim file](/files/vK1fhymxHs9s5pncWTPD)

![After I made changes to the vim file ](/files/MVBiPA9f6dunUdm3tBlW)

Now I am going to modify where a machine is banned, Im going to change it to equal a privilege escalation. Also doing it on both **actionban** and **actionunban** which ensures I do not break anything I'm unaware of.&#x20;

![](/files/WINxqwqQ68EeEmbysW3j)

```bash
watch -n 0 ls -la /bin/bash
```

With the code above I was able to watch the privilege above to see if it changes.&#x20;

With the code below, i made another terminal then tried to constantly SSH in, which blocked the second machine out and escalated the privileges of my first machine that was already inside.&#x20;

![](/files/Cupw85uR4hFrTK4Akia3)

With bash -p I am able to see i have escalated to root.

With this access I am able to get the final root flag&#x20;

![](/files/kkaLDNUgEQHGdI6w95d1)

<br>

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oklencodes.gitbook.io/untitled/ctfs/biteme-ctf/fail2ban-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.