Hackthebox release new machine called routerspace, in this machine we get the apk file on port 80 after analyzing the apk we get a new endpoint which is vulnerable with rce and we get the shell through that rce and for privilege escalation the sudo version is vulnerable through a very famous CVE-2021-3156.
Step1: During recon stage we go for nmap scan and found 2 open ports
While looking through the webpage we found a suspicious download button and once we clicked the button we got a new apk file named routerspace.apk.
For using android applications in a GUI interface, we are using a application named anbox
anbox can be installed with the help of above link.
After installation we need to set the proxy with anbox ip address.
Step2: After setting up all these we launch the anbox and found our apk file and opened it. We got check status button, so using burp we intercept the request and found a suitable place for command injection.
We sent this request to repeater and manipulated with a simple command id and we get a response that command injection in possible
After a little modification in our command we got what we needed a username paul
We just listed all the files in paul’s home directory and get out first flag
Step3: In order to get a proper shell we create a ssh key and drop it in the authorized_files
We selected the id_rsa.pub key and using burp we saved the key to the target machine
We successfully added the file.!!
Step4: just change the permission of the private key and take the ssh connection
Step5: When we listed the files, luckily we found linpeas.sh. So we just executed the file to found the vulnerability of the target machine
By looking through the gathered information we found that sudo is vulnerable to ensure that we executed sudoedit -s Y and it asked for password.!!
Step7: Through github research we found cve for the particular version
We created a file in target machine named poc.py filled it with our malicious exploit code, change the permission of the file and just executed it.
We gain root access and found the root flag.
Pwned..!!!
Comments