Routerspace Hack the box Walkthrough

 

Hello friends, Warm Welcome to my blog today we going to discuss routerspace hack the box machine this machine has come with Rce vulnerability, and to escalate the root privilege using sudo version and we going to take over the root flag and user flag from that machine... so Let's get started.

Talkative Hackthebox Writeup: https://evilox.medium.com/talkative-hackthebox-writeup-3f24491cce33

Enumeration:

So first Let us start with Nmap Scan

STEP 1: nmap -sC -sV 10.10.11.148

Further analyzing this nmap scan I have found a normal SSH service.

So next we go took at the website which is http://10.10.11.148

Here you can able see the download option on the top right corner

Download that apk file

Genymotion for Apk testing

And next, we going to set up the genymotion for apk testing. Insert using Genymotion you can able to use the Anbox or Nox player for that.

First I have test with Anbox but it was not suitable for my Linux and throws lots of errors so I used Genymotion and I used Genymotion for a Lot of Time for testing the android application.

Download the Genymotion using this link: https://genymotion.com

With that download the VirtualBox also: https://virtualbox.org

After downloading this. Download any android Machine with the older version of 5.0 or 5.1

If you’re tried with newer version 9.1 or 10 it will not work. I throw the server error.

This error is due to the newer version of your android machine. change this android machine to older version 5.1

Because I have been stuck at this stage for 3 days and I get the idea for the hack-the-

box forums.

After downloading the android machine use the adb command to install the apk on the machine

STEP 2: adb install Routerspace.apk

So now the app will be installed on your android machine.

And next, we going to set the proxy to intercept the requested using the burpsuite

So first open the proxy tab. Here you can able see the options tab.

And the Add button which is on the left.

First, It will ask you to Enter the bind port as 4001 and choose your machine IP (tun0)

And check the box ( shown in the below image )

Next, we going to set the proxy for the android machine using the below command

STEP 3: adb shell settings put global http_proxy brup:ip

Now turn off your intercept in your burpsuite and click the check status button in your android app

Now it will say “Hey the router working fine”

So next we going to intercept the request in the burpsuite.

Now you can able see the hostname which is routerspace.htb. add the host to your /etc/hosts file

And next repeat the request and intercept in your burpsuite and send it to the repeater

RCE

Further analyzing I found that it was affected by remote code execution

So first I tried “id”

So let we try another to bypass “\nid”

It’s worked now we have found the user is paul. so further I have tried a lot but it was blocked due to the iptable rule.

So let us check for the ssh key

STEP 4: \nls -al /home/paul/.ssh

There is nothing available. so I have generated the ssh key

STEP 5: ssh-keygen

STEP 6: cd /root/.ssh

Now you can able see the id_rsa.pub

STEP 7: cat id_rsa.pub

copy that id_rsa.pub key

STEP 8: \necho ‘paste your key here’ >> /home/paul/.ssh/authorized_keys

Now send this request

And go to your local machine in the nmap we have found the ssh service so let us log in

through it.

Before that give permission to your RSA file

STEP 9: chmod 600 id_rsa

STEP 10: ssh -i id_rsa paul@10.10.11.148

Now you get the user shell

boooooooooooooooooooooooommmmmm!!!!!

You can able to see the userflag which user.txt

STEP 11: cat user.txt

Root Privilege Escalation

First, we going to run the linpeas script

STEP 12: ./linpeas.sh

Further analyzing this report I have found that It was affected by the sudo version

So now we going to escalate privilege using this sudo version

CVE 2021-3156

Download this exploit in the routerspace machine

Run this exploit you will get the root shell

Booooooooooooooooommmmmmmm!!!!

STEP 13: cd root

STEP 14: cat root.txt

Now you can able to get the root flag.

Thank you for reading this blog. I hope you understand this article... Please support us