HackTheBox Writeup: RouterSpace

Published in

InfoSec Write-ups

6 min readJul 9, 2022

This was an easy-difficulty Linux box that required basic scanning and analysis of an Android APK file to gain a foothold on the machine to get the user flag. The privilege escalation to root was also a relatively simple process and required using the Linux privilege escalation CVE-2021–3156 (i.e. Heap-Based Buffer Overflow in Sudo).

Enumeration

I started enumerating the target machine by performing a quick scan with NMAP to identify any open ports:

nmap -T5 --open -sS -vvv --min-rate=300 --max-retries=3 -p- -oN all-ports-nmap-report 10.10.11.148PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

The scan identified two ports open (i.e. port 22 and 80). I next used NMAP to identify the services running on each port and used the common NSE scripts to find any common vulnerabilities that I could exploit:

nmap -sV -sC -Pn -v -oN nmap-report -p 22,80 10.10.11.148PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-46080
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 71
|     ETag: W/"47-vsUiEn1T/EW91KMPo5u7ZZMDNb0"
|     Date: Fri, 04 Mar 2022 17:09:34 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: WOA KW Qq lr Uc fK Qfu }.................

I can see that port 22 is running SSH, while port 80 is hosting a website. I also saw some uncommon http headers and an alert message about suspicious activity in the nmap scan results for port 80. I decided that I had enough information to move on and start examining the website being hosted on port 80.

HTTP — Port 80 Analysis

Navigating to http://10.10.11.143/, I am presented with a basic website promoting a mobile application called RouterSpace. The website also provides a download link for the RouterSpace.apk file.

I also noted an alert being shown when attempting to fuzz for other directories.

Suspicious Alert.

Android APK Analysis

I downloaded the APK file from the website and loaded it into MobSF for static analysis. Reviewing the static report, I can see under the APK signer certificate details, the hostname routerspace.htb is set as the organization.

I added this to my “/etc/hosts” file but did not identify any new information when enumerating the website on port 80. Next, I decided to install the APK file on an emulator using Genymotion and ADB.

adb connect <ip>adb install routerspace.htb

Interacting with the application, I can see that I am able to check the status of a router but I get an error trying to connect to the server.

I decided to use BurpSuite to intercept this request and setup it up as follows:

Listen for all interfaces on port 8081.
Used ADB to reverse traffic to ports 8081 between my emulator and attacking machine.

adb reverse tcp:8081 tcp:8081

Setup my emulator to use a proxy with the following details:

Despite my setup, I still had trouble initially trying to intercept this request from the app to the server. However, I found that if I changed to an emulator with an older Android API and followed the same steps above, I was able to connect to the server.

Emulator Android API.

User Flag: Command Injection

With my setup now working, I was able to intercept the request from the app to the server using BurpSuite.

I can see a POST request made by the app. I sent this intercepted request to repeater in BurpSuite for further analysis. In the response, I can see a string value is returned. I decided to test for command injection and list the contents of the current working directory, which was successful.

Command Injection list directory contents.

Next, I used the command whoami and can see that the user who I’m currently logged on as is paul.

Next, I can retrieve the user flag by navigating to the user paul directory and print the contents of the user.txt file.

Root Flag

I tried gaining a reverse shell with samples provided by pentestmonkey using the command injection exploit but each attempt failed. Looking at the contents of the user paul directory, I can see a hidden .ssh folder. I decided to generate my own SSH public and private keys, and then add the public key to the .ssh folder so I can login as the user paul.

$ ssh-keygen -oGenerating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:

Overwrite authorized_keys with my SSH public key.

Next, I give it 700 permissions and then use SSH to logon as the user paul.

ssh paul@10.10.11.148 -i id_rsa

Once logged in, I can see a variety of files, including an exploit script that refers to CVE-2021–3156.

Checking the sudo version, I can confirm that the version is vulnerable to this exploit.

paul@routerspace:~$ sudo -V
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

I can see that there is already a compiled version of the exploit on the machine. Executing this exploit gives me a root shell, where I can then get the root flag.

Final Thoughts

Overall, I found this machine to be a little tricky. Setting up my test environment to analyze the APK file took me sometime. Once I found the initial foothold (i.e. command injection), it became much easier and I was able to quickly get the user flag. The root flag was also surprisingly easy and a little disappointing. I imagine the intended solution did not involve already having a compiled exploit ready to be executed but overall I enjoyed this box. Thank you for reading till the end and happy hacking 😄!