HA Rudra: Vulnhub Walkthrough
This is our Walkthrough for HA: Rudra” and this CTF is designed by Hacking Articles Team 😊. Lord Rudra also known as Shiv, Bolenath, Mahadev and he is Venerable by Hinduism. We have designed this VM because it is festival eve in India and all Indian strongly believe in Indian culture and religions and also to spread awareness of Indian culture among all people, hope you will enjoy.
There are multiple methods to solve this machine or direct way to finish the task.
You can download from here.
Task: Boot to Root
- Shared directory
- Netcat session
- Access Mysql database
- Connect to ssh
- Sudo rights
First of all, we try to identify our target. We did this using the netdiscover command. It came out to be
Now that we have identified our target using the above command, we can continue to our second step that is scanning the target. We will use Nmap to scan the target with the following command:
nmap -A 192.168.1.101
We found port 22, 80 and 2049 are open for ssh, HTTP and NFS respectively, let’s go for services enumeration.
When you will explore machine IP in the web browser, it will display the beautiful sight of lord shiva.
If you didn’t find any hint from web page, then without wasting time enumerate the share directory since NFS service is running on the host machine.
showmount -e 192.168.1.101 cd /tmp mkdir ignite mount -t nfs 192.168.1.101:/home/shivay /tmp/ignite cd ignite ls
when you will mount the whole shared directory in your local machine, you’ll a text file named “mahadev.txt”.
Till now we didn’t find any hint to establish our foothold, therefore we chose DIRB for directory brute force attack and Luckily found URL for robots.txt file.
Now when you will navigate to the following URL, it will give a hint for nandi.php
But on exploring /nandi.php, it will give you a blank page and this hint might be indicating the possibility for LFI.
To ensure that the host machine is vulnerable to LFI, you need to try to extract /etc/passwd file and this will show you some usernames from here: Rudra, Shivay and mahakaal as shown below.
This phase is considered as initial compromised stage because with the help of LFI we are able to extract low privilege data.
To established foothold, you need to spawn shell of the host machine by injecting malicious file. As you know due to NFS we are able to access share directory and also web application is vulnerable to LFI and for exploiting the host machine first upload the PHP backdoor (penetestmonkey PHP reverse shell) inside the mount directory “/tmp/ignite” and then execute it through a web browser.
As you can observe in the above image, we have uploaded the PHP backdoor inside /tmp/ignite and now will use LFI to trigger the shell.php file. Keep the Netcat listener ON for reverse connection.
As soon as you will trigger the backdoor, it will give the reverse connection of the host machine.
Once we have compromised the host machine, then go for Internal Recon, as you can observe this time, we have used netstat to identify the network statics and found MySQL is running on localhost.
Without wasting time, we get into MySQL DBMS and enumerated the following information:
Database name: mahadev Table name: hint Record: check in media filesystem
It means there are is something inside media filesystem and the author wants to dig it out.
So, when you will move inside /media directory then you will get two files named “creds and hint” and the “hint” file contains the following hints:
Message: Without noise
The cred file contains emojis and it looks like a kind of steganography, download the cred file in your local machine (I saved as /root/pwd) and without wasting we explored the given link. This link will open the article on data exfiltration tool named cloackify which is used by the author for hiding text behind emojis.
With the help of the above link, you can extract the hidden text behind emojis. Follow the below step in your local machine.
Download the tool from GitHub and run a python script as shown then decrypt the file without noise as given inside the hint file.
python cloackifyFactory.py Press key: 2 Decloackify path: /root/pwd Path for saved decloacked data: /root/decodedpwd Add noise: No
Choose emoji as a type of ciphers and press key 3. This will save the decoded text inside /root/decodedpwd as shown below.
And we found the credential for the following:
Username: mahakaal Password: kalbhairav
So with the help above credential, we connect to ssh service and start post enumeration. Thus, we check sudo right for mahakaal and found that he has sudo right to run /usr/bin/watch program other than root which means with ALL specified, user mahakaal can run the binary / usr/bin/watch as any user.
The author added this loophole because it is the latest zero-day exploit CVE: 2019-14287 and you should to proactive to bypass it.
Type following for escalating the root the shell:
sudo -u#-1 watch -x sh -c 'reset; exec sh 1>&0 2>&0' -u cd root cat final.txt
Conclusion: The VM was designed to cover each track of the kill chain by considering red team approach and proactive learning with latest vulnerabilities.
Hope you have enjoyed this machine. Happy Hacking!!!!!!!