Certified Defensive Security Analyst by Academy. Get started now!
RouterSpace is an Easy Linux machine that features a web page on port 80. The webpage allows the download of an APK package, which is an Android application. Attempts to reverse engineer the APK are unsuccessful as the code is heavily obfuscated. Instead an Android emulator is used to check the functionality of the Android application and a proxy is set up in order to capture the network requests that the application is making. The request captured leads to a hidden API endpoint on the main web application, which is found to be vulnerable to command injection. Through the injection, SSH keys are written to the users home directory and an SSH shell on the system is acquired. Privilege escalation can be achieved by enumerating the system with `LinPEAS` and identifying that it is vulnerable to the `Sudo Baron Samedit` exploit assigned `CVE-2021-3156`. Running the Python exploit produces a root shell.