Learn Ethical Hacking and Penetration Testing Online

Learn ethical hacking, penetration testing, cyber security, best security and web penetration testing techniques from best ethical hackers in security field.

Menu

RouterSpace HTB Walkthrough

RouterSpace is an easy-level machine and is too beginner-friendly for anyone to start with. Unlike usual boxes, it consists of playing with android application more than the web interface. We must dynamically analyze the application’s communication and gain a foothold through it. RouterSpace is assigned an IP address of 10.10.11.148.

nmap Scan

First step is to run nmap scan to find the open ports

nmap -sC -sV -A -T4 10.10.11.148 -o nmap_scan

Running the above command, we get the following results

PORT   STATE SERVICE VERSION
 22/tcp open  ssh     (protocol 2.0)
 | fingerprint-strings: 
 |   NULL: 
 |_    SSH-2.0-RouterSpace Packet Filtering V1
 | ssh-hostkey: 
 |   3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
 |   256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
 |_  256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
 80/tcp open  http
 | fingerprint-strings: 
 |   FourOhFourRequest: 
 |     HTTP/1.1 200 OK
 |     X-Powered-By: RouterSpace
 |     X-Cdn: RouterSpace-84256
 |     Content-Type: text/html; charset=utf-8
 |     Content-Length: 68
 |     ETag: W/"44-vfwDXp+6NdvY+XCwXrsxGDdDkkQ"
 |     Date: Wed, 06 Apr 2022 17:27:26 GMT
 |     Connection: close
 |     Suspicious activity detected !!! {RequestID: n 8 P 47 0 Q }
 ...
 ...
 ...

We have 2 ports open

  • Port 22: Running SSH
  • Port 80: Running HTTP

For now, we don’t have any credentials for SSH so we move to check for the website that’s running on port 80.

RouterSpace Website

Opening the IP in the browser gave the following results

The site was a static page with just an APK to download.

APK & Environment Setup

Download the APK and run it in the android emulator (I use nox)

Set the proxy on the emulator so burp can intercept the requests. For this, listen on the specific address and port in burp and then apply manual proxy in the emulator. Visit http://burp in browser and download the certificate file. It will have the extension as .der. Change it to .cer extension and then add & install this certificate file to trusted certificates.

RouterSpace Android Application

Opening the installed application, you will see the Main Activity of the application as below

Clicking on the Check Status button will send the request that can be seen in the burp as follows

Send the request to Repeater so we can use it repeatedly

Upon forwarding the request, the app shows the toast message “Router is working fine!”

Now, go to the burp repeater and send the request to know what’s happening. You will see the response as follows

It can be seen that there is a parameter ip in the request body with the value of 0.0.0.0. The same value of ip is being reflected back in the response.

This looks like the backend system is echoing the value back in response by appending it with \n (next line).

Command Injection

We can try for command injection here by passing ;ls as the value of IP

We are successful in executing command injection and listing the contents.

Let’s find for which user we have permission to execute commands using ;id payload.

We currently have the privileges of the user named paul.

It is not wise to run the commands from here in the burp repeater and perform all the actions. We are looking to get the reverse shell so we can actively interact with the system.

Trying many reverse shell payloads didn’t work due to iptables rules which are blocking the outgoing connection.

iptables is a command line interface with usage of setting up and maintaining tables for the Netfilter firewall for IPv4, included in the Linux kernel. It will accept and drop the incoming and outgoing packets on the basis of rules.

Adding SSH Key

Remember there’s an SSH service running. So why not try for getting SSH keys and then log in?

Navigating to the .ssh directory and listing the contents using payload ;cd ~/.ssh;ls showed that the directory is empty as below

This is not the end. Even though we don’t have any of the private keys, we can try putting our public key into authorized_keys file for passwordless SSH authentication.

For this, grab your own public ssh key from ~/.ssh/id_rsa.pub file and craft the payload ;echo 'YOUR PUBLIC KEY' > ~/.ssh/authorized_keys to add your public key to authorized_keys file as below

If you don’t have your ssh key generated, you can generate using ssh-keygen

You can confirm your public key in the authorized_keys file using ;cat ~/.ssh/authorized_keys command as below

SSH Interactive Shell

Now that we have our public key into authorized_keys, we can directly ssh with the username paul as below

RouterSpace User Flag

Having the shell access of user paul, we can read the user flag

Privilege Escalation

Now to get the root flag, we need to perform privilege escalation. For this, we run sudo -l to find which commands can paul run as the sudo user. But for that, we need the password of paul. We need to figure out some other way.

As there’s no outgoing connection allowed, so we use scp (secure copy), a network protocol to securely copy files/folders, to copy the linpeas (Linpeas is a popular tool used to search for possible paths to escalate privileges on Linux, Unix, and macOS hosts) to the RouterSpace machine by running the following command on our kali machine

scp linpeas.sh paul@10.10.11.148:.

Now navigate back to RouterSpace machine and run linpeas using bash linpeas.sh command

Vulnerable sudo version (1.8.31)

Going through the output, it shows the sudo version in red

Googling for this version’s exploit, we get the sudo root exploit.

Vulnerability Details

The vulnerability mapped to CVE-2021-3156 in Sudo, a powerful utility used on any standard Linux installation could allow unprivileged local users to gain root privileges on a vulnerable host. This flaw needs no authentication and is based on a heap buffer overflow in Sudo legacy versions 1.8.2 to 1.8.31p2 and all stable versions (1.9.0 to 1.9.5p1).

The vulnerability is also known as “Baron Samedit.” It was discovered in January 2021 by security auditing firm Qualys and fixed at the end of that month with the release v1.9.5p2.

Exploitation

Clone this repo to your kali and use scp to recursively copy the whole folder to the RouterSpace machine

scp -r Sudo-1.8.31-Root-Exploit paul@10.10.11.148:.

Navigate back to the RouterSpace machine and go to the copied folder. You’ll find the files as below

We need to make the executable from the files using make command

Now run the exploit and you’ll get the root

Read the flag as below

Submit the flags to complete the machine

Did you enjoy this post?

Would you like to join our Insider's List and be notified when we post something or get FREE exclusive content?

Join Our Insider's List

Leave a Reply

Contact Us
Privacy Policy

Disclaimer
500 Westover Dr #8208 Sanford NC 27330