HackTheBox — RouterSpace

5 min readJul 9, 2022


Routerspace was an easy rated linux box which had an android application through which we need to either extract the URL or intercept request which the application was being vulnerable command injection due to unsanitized user input to get a shell as paul, escalating to root was simple as with linpeas we can identify that sudoedit was vulnerable through which which can get a shell using CVE-2021-3156 .


PORT   STATE SERVICE VERSION                         
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
|_ SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-41677
| Content-Type: text/html; charset=utf-8
| Content-Length: 76
| ETag: W/"4c-daU9QTsu+JmXzduj1YN/Vqx5tUc"
| Date: Sun, 27 Feb 2022 16:02:12 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: xJG p RrjCI GYGF c VrTe l }
| GetRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-64002
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/"652c-17d476c9285"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 25900
| Date: Sun, 27 Feb 2022 16:02:11 GMT


The web server has a template page which has a download option

This will download routerspace.apk

I ran into a rabbit hole or should I say had trouble in setting up the environment, there are two routes in getting a foothold one being reversing the application but issue is that this is react application and it’s code is obfuscated, by de-compiling the apk with apktool we can find index.android.bundle file which will have the obfuscated javascript code, I did tried to de-obfuscate but it couldn’t be done properly.

We can use js-beatufiy to make the code a bit cleaner which can be installed through npm

We do see some strings which tells the url but still I wasn’t able to de obfuscate it and make the proper url or endpoint


Failing to reverse the the application, I moved on to running this application on android emulator, I like using Genymotion so setup a new device and make sure that you use android 7 because if your android version is above 7 you'll face an issue when you'll try to intercept the requests being made by this application. So using an android 7 device we installed the application using adb

Before running make sure to add a proxy setting to the WiFI access point

Now run the application while having burpsuite to listen on all interfaces and intercept the request

So we can do command injection here and get RCE, next we can just add our ssh public key in /home/paul/.ssh/authorized_keys file and login through ssh because for some reason outbound traffic was blocked or maybe it was intended

Checking the source code of the application we can see why were able to command injection as it was executing it with exec that creates a new shell process

Privilege Escalation

So for escalating privileges I didn’t find any thing that I could abuse or saw any cronjobs running, so only option I could think of was running linpeas but all outbound traffic was blocked as I couldn't transfer linpeas from my machine

Copying the linpeas bash script and copy pasting it through clipboard was the only solution I could come up with and then I ran the script which showed the sudoedit was vulnerable to a CVE know as sudo Baron Samedit (CVE-2021-3156)

We can confirm that sudoedit is vulnerable when we run sudoedit with -s Y it should not ask for password instead it should show us the usage options

But on the target machine it was asking for a password

We can grab the exploit from here by copy pasting the exploit from clipboard


Running id command we can see that we are root





Smol Pentester| OSCP | CTF Player | UwU