Read my writeup to RouterSpace machine on:
TL;DR
User: By analyzing the RouterSpace.apk application we found an HTTP POST request to routerspace.htb/api/v4/monitoring/router/dev/check/deviceAccess which is vulnerable to command injection, Using that we add our SSH public key and we get a shell as paul user.
Root: By checking the sudo version we can see the sudo is vulnerable to CVE-2021-3156, Using that we get the root flag.