UnderPass HackTheBox Walkthrough

UnderPass HackTheBox Walkthrough

OS: Linux
Difficulty Level: Easy

Introduction

The UnderPass machine offers a straightforward yet educational journey through enumeration, service exploitation, and privilege escalation. The challenge begins with identifying open services through network scanning, leading to an SNMP service discovery that provides crucial hints. With persistence, a hidden path on the web server reveals a daloRADIUS instance. Leveraging default credentials, we gain an initial foothold via SSH. Finally, privilege escalation is achieved by exploiting the misconfigured mosh-server binary. This write-up will guide you step-by-step through the entire process.

Enumeration

We begin our exploration by running an nmap scan to identify open ports and services:

The scan reveals two open ports:

  • Port 22: SSH
  • Port 80: HTTP

Based on version headers, we confirm the machine is running Linux. Our first focus is on the HTTP server. Upon accessing it, the server appears to be minimally configured, with no content:

After trying fuzzing and virtual host enumeration with no success, I decided to perform a UDP scan. Although UDP scans are slower due to their lack of direct responses, they can reveal important services. Here’s the result of the scan:

The scan reveals that port 161 (SNMP) is open. This discovery becomes pivotal for further progress.

What is SNMP?

SNMP (Simple Network Management Protocol) is a protocol used for monitoring and managing network devices like routers, switches, and servers. It enables administrators to:

  • Collect information about device performance and status,
  • Detect and troubleshoot issues,
  • Remotely configure network equipment.

To confirm the presence of an SNMP service, I referred to a HackTricks cheat sheet:

The confirmation paves the way for further investigation.

Proceeding with SNMP Enumeration

Referencing another cheat sheet from Offensive Security, I discovered an intriguing hint:

https://cheatsheet.haax.fr/network/services-enumeration/161_162_snmp/

“UnDerPass.htb is the only daloRADIUS server in the basin!”

This statement suggests a significant clue: the /daloradius path on the web server might lead to progress. This information redirects our focus back to the HTTP server for further testing.

Path Discovery with feroxbuster

I used feroxbuster to scan the server for potential directories under /daloradius:

feroxbuster -w <wordlist> -u "http://underpass.htb/daloradius"

The scan revealed a wealth of potential directories and files:

  • /daloradius/app/users/
  • /daloradius/app/users/include/
  • /daloradius/app/users/library/
  • /daloradius/app/operators/
  • /daloradius/app/operators/include/
  • /daloradius/app/operators/library/

These paths indicate the presence of administrative panels for users and operators, suggesting areas where authentication and privilege escalation could be exploited. The focus will now be directed to these endpoints.

Among the results, /daloradius stood out as a likely candidate.

Gaining Initial Foothold

The /daloradius path led to the daloRADIUS web interface, a tool for managing FreeRADIUS servers. After researching possible vulnerabilities, I found references to default credentials. According to this blog post, the default credentials for daloRADIUS are:

  • Username: administrator
  • Password: radius

I attempted these credentials on the /operators login panel:

The login was successful. It is important to note that daloRADIUS has two distinct login panels (/users and /operators). Administrator credentials only work on the /operators panel.

Upon logging in, I found an entry for a registered user containing a username and an MD5 hash:

Cracking the Hash

Using common wordlists like rockyou with John the Ripper yielded no results. However, I successfully cracked the hash using CrackStation (note: avoid online cracking tools during real engagements):

The credentials obtained were:

  • Username: svcMosh
  • Password: underwaterfriends

Using these credentials, I attempted to connect to the SSH service discovered earlier:

This provided access to the target machine as the user svcMosh:

Privilege Escalation

With initial access established, I began enumerating the system for privilege escalation opportunities. Using sudo -l, I discovered that the svcMosh user could execute the mosh-server binary as root without a password:

Exploiting mosh-server

Based on its functionality, the mosh-server binary can be used to initiate sessions that allow interaction with a detached root shell. This behavior can be leveraged for privilege escalation.

I ran the following commands to execute a root shell:

This successfully provided root access:

Leave a comment

Please note, comments must be approved before they are published

This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.

Back to HackTheBox and TryHackMe Walkthroughs

You may also like View all

Unveiling Cyberion GPT: Inspired by "Alex Cyberion: Journey Through Dimensions"! Introducing Cyberion GPT, the AI-powered game-changer for Ethical hackers!
Unveiling Cyberion GPT: Inspired by "Alex Cyberion: Journey Through Dimensions"! Introducing Cyberion GPT, the AI-powered game-changer for Ethical hackers!
Exploring Ethical Hacking: The Journey of Daniel Svoboda aka BY7E.NET
Exploring Ethical Hacking: The Journey of Daniel Svoboda aka BY7E.NET
From 100 Days of Code to Full Stack Engineer: Embersunn’s Journey in Tech and Healthcare
From 100 Days of Code to Full Stack Engineer: Embersunn’s Journey in Tech and Healthcare