--- title: "Writeup - RouterSpace (HTB)" date: 2022-04-05 slug: "writeup-routerspace-htb" type: "writeup-ctf" --- This is a writeup for the [RouterSpace](https://app.hackthebox.com/machines/RouterSpace) machine from the HackTheBox site. ## Enumeration First, let's start with a scan of our target with the following command: ```bash nmap -sV 10.129.175.15 ``` Two TCP ports are discovered: ![](img/image-1.webp) - 22/tcp : SSH port - 80/tcp : HTTP web server Let's go to the site and see if we can find some information. ![](img/image-2.webp) The site presents us with an application to connect our router to "routerspace". In addition to this information we have the possibility to download the application in .apk format. ## Exploit I first tried to analyze the application with [APKtool](https://www.kali.org/tools/apktool/). But I didn't find anything special. So I will try to install it with the help of an emulator. After testing several emulation solutions, I finally chose Anbox. To install it on kali I followed the following guide: [How to install Anbox on Debian](https://dev.to/sbellone/how-to-install-anbox-on-debian-1hjd) After starting Anbox, I start Burp in listening mode on all interfaces, then I set adb with the burp proxy with the following command: ```bash adb shell settings put global http_proxy 192.168.250.1:8080 ``` I then install the application with the following command: ```bash adb install RouterSpace.apk ``` After starting the application and testing the connection, I notice that burp is intercepting packets to "". So I add this domain to the "/etc/hosts" file. ![](img/image-3.webp) While analyzing the packet sent by the application I notice a json IP field. ![](img/image-4.webp) By adding ";" I can insert a command that the remote host interprets as a command. Perfect! After some tests I realize that I can't launch a reverse shell, possibly there are firewall rules that block. To be confirmed... Another solution is to use SSH to get access. I check if there is a '.ssh' folder for the user paul : ![](img/image-5.webp) It exists, so I generate keys: ```bash ┌──(kali㉿kali)-[~] └─$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/kali/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kali/.ssh/id_rsa Your public key has been saved in /home/kali/.ssh/id_rsa.pub The key fingerprint is: SHA256:UbAb/Eaflsqf/Wneee+yy26b+ZymMNXYfXH7oxac8/E kali@kali The key's randomart image is: +---[RSA 3072]----+ | ... | | . o | | = . ..| | * . o+ =| | S o *o.+o| | o o.= .o| | oo +.+| | .o=+BE| | +=#&X| +----[SHA256]-----+ ``` Then I add my public key in the "authorized\_jeys" file with the following command: ```bash "ip":";echo 'ssh-rsa [public_key] kali@kali'>> ~/.ssh/authorized_keys" ``` I can now connect in SSH and get the first flag. ![](img/image-6.webp) ## Privilege escalation To start I'll use [linPeas](https://linpeas.sh/) to do a first exploit tracking on the machine. But I have indeed the impression that IPtables rules are blocking my requests: ![](img/image-7.webp) To transfer my file I will use "scp" with the following command: ```bash ┌──(kali㉿kali)-[~] └─$ scp linpeas.sh paul@10.10.11.148:~/ linpeas.sh 100% 748KB 8.4MB/s 00:00 ``` After running the script, I notice that the machine uses a version of sudo that is exploitable (CVE-2021-3156). After some research I find this script which allows to create a root shell: [GitHub - mohinparamasivam/Sudo-1.8.31-Root-Exploit: Root shell PoC for CVE-2021-3156Root shell PoC for CVE-2021-3156. Contribute to mohinparamasivam/Sudo-1.8.31-Root-Exploit development by creating an account on GitHub.![](https://github.com/fluidicon.png) {{< github repo="mohinparamasivam/Sudo-1.8.31-Root-Exploit" >}} And indeed after executing the code, I get a root shell and I can recover the last flag! ![](img/image-8.webp) ## Recommendations To patch this host I think it would be necessary to perform a number of actions: - Secure the application to avoid code injection - Run the service with a user who does not have SSH access - Update the sudo version to a more secure one