Routerspace was an easy rated linux box which had an android application through which we need to either extract the URL or intercept request which the application was being vulnerable command injection due to unsanitized user input to get a shell as paul
, escalating to root was simple as with linpeas we can identify that sudoedit
was vulnerable through which which can get a shell using CVE-2021-3156
.
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-41677
| Content-Type: text/html; charset=utf-8
| Content-Length: 76
| ETag: W/"4c-daU9QTsu+JmXzduj1YN/Vqx5tUc"
| Date: Sun, 27 Feb 2022 16:02:12 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: xJG p RrjCI GYGF c VrTe l }
| GetRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-64002
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/"652c-17d476c9285"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 25900
| Date: Sun, 27 Feb 2022 16:02:11 GMT
PORT 80 (HTTP)
The web server has a template page which has a download option
This will download routerspace.apk
I ran into a rabbit hole or should I say had trouble in setting up the environment, there are two routes in getting a foothold one being reversing the application but issue is that this is react application and it’s code is obfuscated, by de-compiling the apk with apktool
we can find index.android.bundle
file which will have the obfuscated javascript code, I did tried to de-obfuscate but it couldn’t be done properly.
We can use js-beatufiy
to make the code a bit cleaner which can be installed through npm
We do see some strings which tells the url but still I wasn’t able to de obfuscate it and make the proper url or endpoint
Foothold
Failing to reverse the the application, I moved on to running this application on android emulator, I like using Genymotion
so setup a new device and make sure that you use android 7 because if your android version is above 7 you'll face an issue when you'll try to intercept the requests being made by this application. So using an android 7 device we installed the application using adb
Before running make sure to add a proxy setting to the WiFI access point
Now run the application while having burpsuite to listen on all interfaces and intercept the request
So we can do command injection here and get RCE, next we can just add our ssh public key in /home/paul/.ssh/authorized_keys
file and login through ssh because for some reason outbound traffic was blocked or maybe it was intended
Checking the source code of the application we can see why were able to command injection as it was executing it with exec
that creates a new shell process
Privilege Escalation
So for escalating privileges I didn’t find any thing that I could abuse or saw any cronjobs running, so only option I could think of was running linpeas
but all outbound traffic was blocked as I couldn't transfer linpeas from my machine
Copying the linpeas bash script and copy pasting it through clipboard was the only solution I could come up with and then I ran the script which showed the sudoedit
was vulnerable to a CVE know as sudo Baron Samedit (CVE-2021-3156)
We can confirm that sudoedit is vulnerable when we run sudoedit with -s Y
it should not ask for password instead it should show us the usage options
But on the target machine it was asking for a password
We can grab the exploit from here by copy pasting the exploit from clipboard
https://github.com/blasty/CVE-2021-3156
Running id
command we can see that we are root