RouterSpace

In my opinion, one of the most annoying machines just to set up and the exploits required are quite disappointing.

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 5000 10.129.227.47 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 10:32 EDT
Nmap scan report for 10.129.227.47
Host is up (0.017s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

RouterSpace App

Port 80 reveals a page advertising an application:

The intended method is to do dynamic analysis of the machine and run the application in an emulator (which is annoying because anbox is not as easy to install anymore and genymotion doesn't seem to work with my machine).

Instead, I will be doing static analysis to solve it. First, we need to decompile it with apktool.

With in the assets file, there's an index.android.bundle file. This file contains all the JS code used in the entire application, so it's really long but probably has the information I need within it.

Within it, there's this function:

This looks like a request, and it is to http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess. This means that we can probably access the application from the website. We can see n/json, which means they are probably sending JSON POST requests. We also see 0.0.0.0, which is looks like an IP address.

We can test for RCE or injection, and find that RCE works.

We can get a reverse shell from or we can put our public key into the authorized_keys file.

Then, we can ssh in as paul.

Privilege Escalation

Sudo Exploit

This machine is running an outdated version of sudo.

We can use this repository to exploit it:

LogoGitHub - mohinparamasivam/Sudo-1.8.31-Root-Exploit: Root shell PoC for CVE-2021-3156GitHub

Transfer the files over scp.

Then, make and run it to get a root shell.

PreviousReturnNextSauna