HackTheBox — RouterSpace

NMAP

PORT   STATE SERVICE VERSION                         
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-41677
| Content-Type: text/html; charset=utf-8
| Content-Length: 76
| ETag: W/"4c-daU9QTsu+JmXzduj1YN/Vqx5tUc"
| Date: Sun, 27 Feb 2022 16:02:12 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: xJG p RrjCI GYGF c VrTe l }
| GetRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-64002
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/"652c-17d476c9285"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 25900
| Date: Sun, 27 Feb 2022 16:02:11 GMT

PORT 80 (HTTP)

The web server has a template page which has a download option

Foothold

Failing to reverse the the application, I moved on to running this application on android emulator, I like using Genymotion so setup a new device and make sure that you use android 7 because if your android version is above 7 you'll face an issue when you'll try to intercept the requests being made by this application. So using an android 7 device we installed the application using adb

Privilege Escalation

So for escalating privileges I didn’t find any thing that I could abuse or saw any cronjobs running, so only option I could think of was running linpeas but all outbound traffic was blocked as I couldn't transfer linpeas from my machine

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store