Official RouterSpace Discussion

deodre · May 4, 2022, 1:51pm

Hi,

I was struggling for the past 2 days with the setup. I managed to intercept browsers requests in burp but not from the apk. Any ideas how can I solve this. I use Android Studio AVD.
Thank you!

FlyingTrap · May 19, 2022, 7:45am

I am with you on this. It’s a complete nightmare with the apk file. Same error: no simulator found. I go to YouTube or Google and I am told to unplug the USB. I’m dumbfounded because there’s no USB since it is a simulator. I have the jeopardy music playing in my head for the past one month.

nixtm · May 20, 2022, 6:30am

Finally Rooted.
AS helped to run the download and WS helped capture the traffic after domain resolve setting are done in emulator.
Rest is basic enumeration.

Only thing I am not able to do is how domain name was found which needs to be resolved by host file because domain name resolution traffic is not hitting WS so not able to capture the traffic. I came to know about domain name from the forum posts of many members.

If someone can help me with the domain name finding process. Please support.

svespie · May 23, 2022, 1:47am

I didn’t really read through the whole thread because I didn’t want to get a hint that I wasn’t ready for yet, so my apologies if this is a duplicate question.

Has anyone been able to successfully emulate on arm64? If so, would you mind sharing how you did it? I’ve tried several options, each failing at one point or another. I have an Intel machine I can setup a VM on, if necessary, but I’m stubborn and would like to try to get this to work on my main machine.

Thanks!

herebedragons · May 25, 2022, 12:48am

Thank you @h4rithd! Unusual box, but I learnt a lot while setting up and running the tools. Pretty easy afterwards. Love boxes that teach you something without over complicating things.

EkinSs · May 28, 2022, 5:10am

I install the A***x app then I try to open it. It is looking “starting” but it didn’t open

binho1337 · May 28, 2022, 1:21pm

The hardest part for me was modifying the hosts to add the domain.

I found another way to make it simpler:
adb shell settings put global http_proxy BURPIP:PORT
That way I just had to add the domain to my own /etc/hosts
and for apk the snap version for A***X

Stimpie · May 29, 2022, 7:01am

Getting the user is harder then getting root so hang in there if you’re struggling.

Tools

These tools are worth exploring but some are overkill.

AutoRecon
Mobsf
adb
apktool
snap
burpsuite (proxy, repeater and intruder)
wfuzz
LinPEAS

Guide

Foothold

Enumerate, a couple of ports will open up.
Look around and download the file.
You have 2 choices from here: Run software to reverse it or emulate it.
- Reversing it will identify the host name you need to set in your hosts file.
- Emulating is the easier way.
Click around the emulation and capture the communication through a proxy you need to setup.
Fuzz the captured data to find the foothold.

User

Remember the other port(s) we found during our enumeration?

Create a file locally
Copy the file over using our foothold.
Connect to the machine using the exploit.

Root

You are looking for a CVE to gain priviledge escalation

Classic enumeration
Read the output.
Find the exploit.

wesjones2004 · June 1, 2022, 5:19am

Hi. I found the obvious file and tried reversing the a**. I can’t figure out how to setup anb** with tun0 and burp suite. Please DM me with any tips.

InfosecGreg · June 4, 2022, 7:38pm

I know there’s a lot of frustration going around with the Android piece, but I found this box to be a lot of fun. There was a bit of fuzzing needed for the foothold, but that’s sort of the point in these machines, to make you think of how to abuse a system rather than just use it.

I had a little bit of trouble with root since I was trying to use the exploit referenced by LinPEAS. For whatever reason it wasn’t working for me, looking for other exploits for that CVE helped and I found one that worked for me.

Good box. PM me with any questions.

sh0rty9000 · June 6, 2022, 3:37am

I dislike setting up the emulator so much I decided to try and reverse the obfuscated code that creates what you need.

Took way to long but so much more fun haha

0xalivecow · June 6, 2022, 11:32am

How do you set up proxy for anbox?

Viperr · June 6, 2022, 4:31pm

haha same here, reversing all the way !!

binho1337 · June 9, 2022, 11:45am

adb shell settings put global http_proxy BURPIP:PORT

nonattribution · June 11, 2022, 4:27am

I was about to give up on this box when i saw three separate alternate routes to a foothold.
I’m using parrot on a VM in KVM/qemu/virt-manager
I would never install virtbox on a hacking rig
For starters because its noisy and calls home to mama. I could go on about using vmware or dirtbox but i think my point is obvious.

Anyway I used the Burp proxy thing and anbox / adb and i was able to connect.
I did this a second ago so i dont have foothold yet.
I just wanted to say that this community rocks and I wanted to thank EVERYONE who posted in this forum. I’ll come back tomorrow to do the command injection etc etc.
But thanks y’all - i can feeel my blood pressure going down now.

hume1618 · June 11, 2022, 7:58pm

Hello all, this is the first box I am trying on HTB, and perhaps my last if I can’t find some relief.
I retrieved the apk file.
I acquired an emulator and was able to get the emulated app to start.
It prompts me to “check status” yet when I try to do so it cannot establish a connection.
I get that I need to peek at the traffic, and I was able to get wireshark to sniff some packets, but only the failed “check status” conversation. So I know I need to get the app to successfully connect (how?).
The emulator is anbox and I got adb as well but it isn’s clear how to manipulate either/both together.
I am trying to do this on a Parrot Sec OS (5.0.1) VM via virtualbox.

nonattribution · June 11, 2022, 8:14pm

Yeah this box can seem frustrating when the check status fails.

Depending on what your hyper visor thing is you can find all the answers in the forum.
I finally found the path that worked for me last night.

The paths to connecting the app seem to fall into rough categories.
If you have the misfortune of trying to hack with virtualbox you can use geany-something.

OR - you can use burp and set burp to listen on all interfaces and then tell adb to use burp proxy. See above for that

Others seemed to simply use windows or ubuntu - i am assuming that they are not talking about vms?
Finally - a few people seemed to be able to reverse engineer the app to get the vunerable api call.
I dont use virtual box when I am trying to be discreet so i use virt-manager
Find the instructions above to tell adb to use burp proxy
Have burp proxy listen on all interfaces
then adb / anbox should allow the “check status” to work.
Catch that in burp and go to town
-nonattribution

nonattribution · June 11, 2022, 8:27pm

i meant to send that last post as a reply to @hume1618

n3tc4t · June 27, 2022, 1:38pm

Someone can help me about android config:
I use vmware with kali and I install the anbox with the r…rs…e but when I start the app I recevice the message for the status: “Enable to connect the server”. Some help please

M1cr0wave · June 28, 2022, 7:56pm

i cant seem to understand how to run the a** file on my kali linux matchine, the anbox tool doesnt work, someone, please help me with a working tool, i have searched a lot

Topic		Replies	Views
Official Timing Discussion Machines	62	4511	May 13, 2022
Arena machine migrating stucked	0	193	December 16, 2021
Official Hancliffe Discussion Machines	12	1584	March 4, 2022
Can't Stop Machine	1	251	November 4, 2021
Machines not able to reach Machines	4	450	December 9, 2020