HackTheBox Writeup: RouterSpace
This was an easy-difficulty Linux box that required basic scanning and analysis of an Android APK file to gain a foothold on the machine to get the user flag. The privilege escalation to root was also a relatively simple process and required using the Linux privilege escalation CVE-2021–3156 (i.e. Heap-Based Buffer Overflow in Sudo).
Enumeration
I started enumerating the target machine by performing a quick scan with NMAP to identify any open ports:
nmap -T5 --open -sS -vvv --min-rate=300 --max-retries=3 -p- -oN all-ports-nmap-report 10.10.11.148PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
The scan identified two ports open (i.e. port 22 and 80). I next used NMAP to identify the services running on each port and used the common NSE scripts to find any common vulnerabilities that I could exploit:
nmap -sV -sC -Pn -v -oN nmap-report -p 22,80 10.10.11.148PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-46080
| Content-Type: text/html; charset=utf-8
| Content-Length: 71
| ETag: W/"47-vsUiEn1T/EW91KMPo5u7ZZMDNb0"
| Date: Fri, 04 Mar 2022 17:09:34 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: WOA KW Qq lr Uc fK Qfu }.................
I can see that port 22 is running SSH, while port 80 is hosting a website. I also saw some uncommon http headers and an alert message about suspicious activity in the nmap scan results for port 80. I decided that I had enough information to move on and start examining the website being hosted on port 80.
HTTP — Port 80 Analysis
Navigating to http://10.10.11.143/, I am presented with a basic website promoting a mobile application called RouterSpace. The website also provides a download link for the RouterSpace.apk file.
I also noted an alert being shown when attempting to fuzz for other directories.
Android APK Analysis
I downloaded the APK file from the website and loaded it into MobSF for static analysis. Reviewing the static report, I can see under the APK signer certificate details, the hostname routerspace.htb is set as the organization.
I added this to my “/etc/hosts” file but did not identify any new information when enumerating the website on port 80. Next, I decided to install the APK file on an emulator using Genymotion and ADB.
adb connect <ip>adb install routerspace.htb
Interacting with the application, I can see that I am able to check the status of a router but I get an error trying to connect to the server.
I decided to use BurpSuite to intercept this request and setup it up as follows:
- Listen for all interfaces on port 8081.
- Used ADB to reverse traffic to ports 8081 between my emulator and attacking machine.
adb reverse tcp:8081 tcp:8081
- Setup my emulator to use a proxy with the following details:
Despite my setup, I still had trouble initially trying to intercept this request from the app to the server. However, I found that if I changed to an emulator with an older Android API and followed the same steps above, I was able to connect to the server.
User Flag: Command Injection
With my setup now working, I was able to intercept the request from the app to the server using BurpSuite.
I can see a POST request made by the app. I sent this intercepted request to repeater in BurpSuite for further analysis. In the response, I can see a string value is returned. I decided to test for command injection and list the contents of the current working directory, which was successful.
Next, I used the command whoami and can see that the user who I’m currently logged on as is paul.
Next, I can retrieve the user flag by navigating to the user paul directory and print the contents of the user.txt file.
Root Flag
I tried gaining a reverse shell with samples provided by pentestmonkey using the command injection exploit but each attempt failed. Looking at the contents of the user paul directory, I can see a hidden .ssh folder. I decided to generate my own SSH public and private keys, and then add the public key to the .ssh folder so I can login as the user paul.
$ ssh-keygen -oGenerating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Next, I give it 700 permissions and then use SSH to logon as the user paul.
ssh paul@10.10.11.148 -i id_rsa
Once logged in, I can see a variety of files, including an exploit script that refers to CVE-2021–3156.
Checking the sudo version, I can confirm that the version is vulnerable to this exploit.
paul@routerspace:~$ sudo -V
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
I can see that there is already a compiled version of the exploit on the machine. Executing this exploit gives me a root shell, where I can then get the root flag.
Final Thoughts
Overall, I found this machine to be a little tricky. Setting up my test environment to analyze the APK file took me sometime. Once I found the initial foothold (i.e. command injection), it became much easier and I was able to quickly get the user flag. The root flag was also surprisingly easy and a little disappointing. I imagine the intended solution did not involve already having a compiled exploit ready to be executed but overall I enjoyed this box. Thank you for reading till the end and happy hacking 😄!