RouterSpace HackTheBox WalkThrough

This is RouterSpace HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted RouterSpace HackTheBox machine. Before starting, let us know something about this machine. It is Linux OS box with IP address 10.10.11.148 and difficulty Easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and confirm your connectivity with RouterSpace Box by pinging its IP 10.10.11.148. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. As usual I have used $ nmap [a popular port scanner] for this task and the result is given below: –

Scanning

$ nmap -p- --min-rate=10000 -oN fulltcp-scan.nmap 10.10.11.148

$ sudo nmap -p22,80 -sV -sC -oN ScriptScan.nmap 10.10.11.148

———-SNIP———

Nmap found port no 22 and 80 as open. OpenSSH_8.2p1 is running on port 22 and Node.js Server is running on port 80 [ which I got to know after getting inside the RouterSpace box]. Before entering into the enumeration of this machine let us add routerspace.htb host to our hosts file. The advantage of it is that if there will be virtual hosting enabled then we would get some other website to enumerate on. The hosts file is present inside directory /etc/ of our Kali/Parrot machine.

Host File After Modification

$ cat /etc/hosts

Since web server is running on port 80 so we have two URLs to check viz. http://10.10.11.148  and http://routerspace.htb.  Ongoing to each URL separately found the same web page which confirms that there is no any virtual hosting enabled on this server. We are free to use any URL while hunting. I will use http://routerspace.htb throughout the walkthrough.

Ongoing to http://routerspace.htb found a download button which contain an APK file named RouterSpace.apk. Downloaded it and we will reverse engineer it when will not get anything interesting on http://routerspace.htb.

Performed directory bruteforce with $ dirsearch using wordlist directory-list-2-3-medium.txt & vhost bruteforce with $ gobuster using wordlist subdomains-top1million-110000.txt but did not find any special directory and virtual host. Checked the page-source of the webpage at http://routerspace.htb for some type of hint but did not get anything interesting. Till now I didn’t get anything interesting which helps me to proceed further.

As we have already downloaded the apkfile so let us install it in any android enumerator and play with it. I am going to use $ anbox which is an open-source android emulator for Linux OS. I have used this link for installation of anbox on my Kali OS.

Install & Configure AnBox

$ sudo apt install anbox

$ sudo modprobe ashmem_linux

$ sudo modprobe binder_linux

$ sudo /sbin/modprobe ashmem_linux

$ sudo /sbin/modprobe binder_linux

$ wget https://build.anbox.io/android-images/2018/07/19/android_amd64.img

$ sudo mv android_amd64.img /var/lib/anbox/android.img

$ sudo service anbox-container-manager restart

$ anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

We have successfully installed the anbox emulator. Let us install $ adb tool using which we will access the emulator and install the app RouterSpace.apk into it. And also configure the proxy setting to capture the request of RouterSpace application.

Installing adb & Configuring Proxy

$ sudo apt install adb

————-SNIP————-

$ adb devices # To list the attached devices

$ adb -s emulator-5558 install ~/Downloads/RouterSpace.apk # To install RouterSpace apk

$ adb -s emulator-5558 shell settings put global http_proxy 192.168.250.1:8081 # To configure burp proxy

We have set the proxy to address 192.168.250.1:8081 where 192.168.250.1 is gateway address of anbox0 interface and 8081 is the port where Burpsuite will be listening. Also configure the Burpsuite proxy to listen on port 8081 as shown in the screenshot given below.

If you are having issue in finding the gateway address of your anbox in Burpsuite, you can configure the Burpsuite proxy to listen on all interfaces as shown in the screenshot given below. It will also work.

Once everything is configured launch the anbox manager by the below command or simply by searching anbox in start menu.

$ anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

Turn on the intercept in Burpsuite and open the RouterSpace application. Click on Check Status button.

Note: If you are getting connection error and anbox is taking too long time to start then you can restart the anbox manger service by the command $ sudo service anbox-container-manager restart. This can resolve the start problem.

After intercepting the request got an IP in JSON format. This reminded me of Command Injection vulnerability which I have previously exploited in DVWA web application . I have also written a post on DVWA Command Injection. Read the post here for more info on Command Injection vulnerability.

After trying some basic command injection payloads found that it is vulnerable to OS Command Injection vulnerability.

Confirming OS Command Injection

Simply use the concatenating string ;id after the IP address 0.0.0.0 and you will get the id of user paul.

Getting User Shell

Now, we have confirmed OS Command Injection vulnerability. My next step is to get reverse shell on my kali machine using some one-liner. Tried different one-liners but none of them worked [you can generate multiple one-liners from here]. This may be due to the reason that nc, curl, wget & bash commands were not allowed to communicate using remote address. Didn’t know exactly what the issue was.

Then I pasted my SSH-Public key in authorized_keys file of user paul and using my private key I got user shell.

Note: If authorized_keys file doesn’t exit then create one.

$ ssh-keygen -f key

$ cat key.pub

$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwI9EZqYqEZQBfb5dQyeB56MKMR37fojC8yKzceNFgqbZO4Ry8p1tIlzy/C6X81w4uGM+egoBKIDPYnYSeCZefOF2FoI7TxPT0+Jq1jY6NIxnVXUd8H2j4+MPTAM7NQJTrP01kC3NeKK6SfQJ8JLSLyzmbjfCnrl5n5RiX2rFef522ISNEy8ecV7rNFjf9VKnduzMwPHNxbLIxjyuURgzOuLFKXtaQ7T6XAht6wFLCDNSHD/5eWaMGMOvGK8OmInl/fbHSGHT5LjOuR4/JQGNP8BD91C4Ne4rgYj4O40QSv9OgWdwyPEkzcdfk9luFqx5PB75MnMp0PICoNOiNlziUByiQFwGm9DRz98wYXAOH5ivcqtmFDVadrjZ3qwvQ3nMxrFqiS4b2l43+0lQ6h+OR379O6XSsKQY/S4rhKuev7JdXeY7WA3CZQu8bVbxQHi6uYFWprqgDTrMZy24PgcMQDDjjvxwpz/rVslMwAz5MOS+fc/m3hXBKaUYxUrhL9TM= deepak@kali'>>/home/paul/.ssh/authorized_keys

$ chmod 600 key

$ ssh -i key [email protected]

$ whoami && id

We have successfully got user shell as paul. Let us capture user flag from user.txt file.

Capture User Flag

$ cat user.txt

Privilege Escalation

To escalate the privilege to root we have to first find a Privilege Escalation Vector using which we can perform privilege escalation. We can find PrivEsc Vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I will go with LinPEAS viz. script enumeration technique.

Finding PrivEsc Vector

LinPEAS found that Sudo version is vulnerable. After googling Sudo 1.8.31 exploit, found that Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow [CVE-2021-3156], which allows privilege escalation to root via $ sudoedit -s and a command-line argument that ends with a single backslash character.

For more details about this vulnerability check this article from qualys and its working exploit can be found here. When I tried to escalate the privilege using the exploit present at latter link, I could easily get root shell. So, here our PrivEsc Vector is Privilege Escalation by exploiting Vulnerable Sudo version.

Simply make three files by the name hax.c, lib.c & Makefile. Put the content from this exploit. in the respective files. And at last, execute the $ make command as shown below.

$ nano hax.c

$ nano lib.c

$ nano Makefile

$ ls

$ make

$ ./sudo-hax-me-a-sandwic­­­­­h 1

# whoami && id

We have successfully got root shell. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt

This was how I rooted to RouterSpace HackTheBox machine. Learnt a lot during this walkthrough. Hope you would have also learnt some new things. Thanks for reading this writeup. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at https://ethicalhacs.com/.

Dumping Root Hash

# cat /etc/shadow | grep root