Privilege Escalation With fail2ban

A quick start guide for privilege escalation with fail2ban

fail2ban is a common service used in Linux systems to automatically ban hosts that fail multiple authentication attempts.

This tool allows system commands to be executed when rules are applied, resulting in potential vulnerabilities if not well protected.

In this article, we will see how to exploit fail2ban for privilege escalation when we have sudo permission over it.

Image by Elchinator from Pixabay

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

Conditions

Sudo permissions to run fail2ban, or at least a way to restart the service as root with a custom configuration.

Exploit

We can write a custom rule that, when banning an address, adds suid permissions for bash or any other binary we might need.

The file to edit is action.d/iptables.conf, and we want to change the definition of the actionban option.

vi /etc/fail2ban/action.d/iptables.conf