CTF-Writeups/HackTheBox/Routerspace.md

HackTheBox - RouterSpace

NMAP

PORT   STATE SERVICE VERSION                         
22/tcp open  ssh     (protocol 2.0)                                      
| fingerprint-strings:                                                  
|   NULL:                                    
|_    SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open  http                                      
| fingerprint-strings:                                     
|   FourOhFourRequest:                                      
|     HTTP/1.1 200 OK                                       
|     X-Powered-By: RouterSpace                              
|     X-Cdn: RouterSpace-41677               
|     Content-Type: text/html; charset=utf-8                                   
|     Content-Length: 76             
|     ETag: W/"4c-daU9QTsu+JmXzduj1YN/Vqx5tUc"                                  
|     Date: Sun, 27 Feb 2022 16:02:12 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: xJG p RrjCI GYGF c VrTe l }
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-64002
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Sun, 27 Feb 2022 16:02:11 GMT

PORT 80 (HTTP)

The web server has a template page which has a download option

This will download routerspace.apk

Now here I ran into a rabbithole or should I say had trouble in setting up the environment, there are two routes in getting a foothold one being reversing the application but issue is that this is react application and it's code is obfuscated, by decompiling the apk with `apktool` we can find `index.android.bundle` file which will have the obfuscated javascript code, I did tried to deobfuscate but couldn't deobfuscated it properly

We can use js-beatufiy to make the code a bit cleaner which can be installed through npm

We do see some strings which tells the url but still I wasn't able to deobfuscate it and make the proper url or endpoint

Foothold

Next was to run this application on android emulator, I like using Genymotion so setup a new device and make sure that you use android 7 because if your android version is above 7 you'll face an issue when you'll try to intercept the requests being made by this application. So using an android 7 device we installed the application using adb

Before running make sure to add a proxy setting to the WiFI access point

Now run the application while having burpsuite to listen on all interfaces and intercept the request

So we can do command injection here and get RCE, next we can just add our ssh public key in /home/paul/.ssh/authorized_keys file and login through ssh

Checking the source code of the application we can see why were able to command injection as it was executing it as a process

Privilege Escalation

So for escalating privileges I didn't find any thing that I could abuse or saw any cronjobs running, so only option I could think of was running linpeas but all outbound traffic was blocked as I couldn't transfer linpeas from my machine

Copying the linpeas bash script and copy pasting it through clipboard was the only solution I could up with and then I ran the script which showed the sudoedit was vulnerable to a CVE know as sudo Baron Samedit (CVE-2021-3156)

We can confrim that sudoedit is vulnerable as when we run sudoedit with -s Y it should not ask for password instead it should show us the usage options

But on the target machin it was asking for a password

We can grab the exploit from here by copy pasting the exploit from clipboard

Running id command we can see that we are root

References

• https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/
• https://github.com/blasty/CVE-2021-3156