In this post, I would like to share a walkthrough of the RouterSpace Machine from Hack the Box

This room will be considered as an Easy machine on Hack The box

What will you gain from the RouterSpace machine?

For the user flag, you will need to analyze the android application, or an easier way to get details is by inspecting the traffic with burpsuite

As for the root flag, you need to find the vulnerability on sudo version where we can execute the python file which can be found on the internet

Information Gathering on RouterSpace Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

From the Nmap output, we have been provided with two open ports ssh and HTTP. Sadly, there’s no other information that we can use for further escalation.

Let’s access the website interface.

However, it just looks like a simple website interface

Therefore, let’s run gobuster in case we can get any interesting directory

There are a lot of directories that we cannot use right now but they might be useful later on.

I notice that there’s a Download button on the website and let’s click that button

It’s apk file that has been downloaded into our machine

Step 1: To analyze the apk file

We can change the .apk file format into .zip file format where we should be able to unzip the file.

We will be presented with those directories and files shown above.

Step 2: apktool method

It’s just a short method to reverse-engineering the .apk file just like shown above.

We can find those codes above from /assets/include_android file which it’s a long list of code been stored there.

Step 3: GUI method

We are required to download the android studio over here

While waiting for the android studio installer to be completed, we can install adb using sudo apt-get install adb

The screenshot above shows the android studio when we open it directly.

Sadly, I have faced an issue showing that my disk is full.

I will share the step if you didn’t face the same issues above.

  1. Install the app into the emulator using adb install Routerspace.apk
  2. We need to execute the adb proxy using the command “adb shell settings put global http_proxy vpn. ip:any port”
  3. Configure the burpsuite to inspect the connection <http_proxy vpn. ip:any port>
  4. Click on the Status button on the application
  5. You will be able to see the request as shown in the screenshot below

Process after either Step 1/2

We can execute the curl command above to get some details on the machine

Process after either Step 3

We also can use burpsuite to inspect the packet which you will have the output shown above.

We need to modify the payload by adding the { } symbol while the rest remain the same.

Let’s change the with the “id” command which you will obtain the output that we not expecting at all.

It looks like the machine is filtering the everyday command that we use so we need to bypass those by adding \n in front of the normal command

Gaining Privileges Access to Routerspace machine

Let’s create an ssh-keygen on our attacker machine

As a result, we can copy-paste the public ssh key into the payload so that we can insert our ssh key into the victim’s machine

The payload will look something such as { “ip”: “\necho ‘your ssh key’ >> /home/paul/.ssh/authorized’ ” }

We should be giving 600 permission to our ssh private key so that we can access the machine via ssh service.

Finally, we can access the machine via ssh service.

We can read the user flag by executing the command “cat user.txt

Escalate to Root Privileges Access on Routerspace machine

Firstly, we need to find some malicious files that we can use for escalation.

Sadly, we didn’t manage to find any malicious files on /var/backup directory

We also didn’t find anything interesting on /opt/www/public/routerspace directory

At this point, I feel disappointed with myself for not finding any useful file to use.

After a while, I was thinking about the last escort on finding a vulnerability that we can use. We should investigate sudo version which might be useful to us.

As a result, we found out that the sudo version is incredibly old which was released on 2020-01-30

Let’s do some research on the sudo version on the internet.

We can use any GitHub that shows above but I’m using the worawit GitHub

As a result, we can create the python and paste the code inside the file that we created earlier.

We need to give permission to the file so that we can execute it later.

Finally, we got a root shell once we execute the python file

We can read the root flag by executing the command “cat root.txt


Happy Learning Guys!

Extra Information on Paper machine

We can go to /etc/shadow so that we can unlock and read the write-up