Close
Menu

RouterSpace – HackTheBox Writeup

, , , , , , , , , 0

Machine Name: RouterSpace
IP: 10.10.11.148
Difficulty: Easy

Summary

An APK file is to be inspected to understand a feature’s inner workings. To get the user shell, the traffic was to be redirected to burp, and an RCE vulnerability through injection is to be exploited. To escalate privileges, simple enumeration leads us to a exploit POC that gives a root shell.

Information Gathering

Performing a NMAP scan to enumerate ports and services running on the target, we use the following command:

nmap -sC -sV -oN routerspace.nmap 10.10.11.148

Ports 22 (SSH) and 80 (HTTP) are open.

Enumeration

First, let’s add the routerspace.htb to /etc/hosts.

The webpage “http://routerspace.htb” presents us with some information about the Andrpid app and directs us to a download button which saves an APK file, “RouterSpace.apk.

Clearly, this box is directing us to download the APK and inspect it. To do so, I installed Nox on my Windows 10 host and then proceeded to open the application.

The “Check Status” button gives an error “Unable to connect”. Let’s setup a proxy to redirect the traffic generated by the application to Burp.

To redirect the traffic from Nox to Burp, long press the “WiredSSID” from the connections list, choose modify network, enter the local IP of attacker (Kali in my case) as the proxy host, then enter the proxy port, click save. Finally, set the same in burp by adding the proxy listeners list to the same IP and port and start the intercept. Click on the “Check Status” button and you must be able to see the traffic in Burp.

It is sending API endpoint the IP value of 0.0.0.0 and the same is returned. Trying a random string as value, it echoes the same back on the webpage.

Surely, there must be a way to inject to get code execution.

Using the “&” operator to append the echo command, we get code execution. Piping also works.

We are running as user “Paul”.

Exploitation

Get the user flag!

To get a shell, let’s use that open ssh port. I added my ssh public key to the authorized keys and connected to user paul.

{
  "ip":"|echo -n '<kali-public-key>'>/home/paul/.ssh/authorized_keys"
}

Privilege Escalation

To enumerate further, let’s download linpeas.sh to the machine by using scp.

scp -i ~/.ssh/id_rsa linpeas.sh paul@routerspace.htb:/tmp/

The processes show that paul is running a node application.

Taking a closer look at the code that is located at /opt/www/public/routerspace/index.js

We see that the “.exec” is spawning a shell which then executes the echo command. Therefore, we realize that it was the reason we were able to use the “&, |” operators to get command execution in the initial stage.

Moving on…

The first interesting clue that shows up in the results is the Sudo version 1.8.31.

A quick google search for exploits regarding the same landed me onto this github repo. If a password requirement is prompted after running the below command, the repository says that it’s most probably vulnerable. Let’s check it out.

It does ask for a password. Let’s clone the repository and download it to the machine to compile the code.

After compiling the exploit, running the exploit file presents root shell.

Pwned!

Thoviti Siddharth

I'm passionate about cybersecurity, machine learning, machine vision, web development. ​Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.

→ Thoviti Siddharth

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *