UnderPass

Intro.

---

Hello everyone today we have the latest hack the box machine called UnderPass let's get right into it.

Enumeration.

Port scanning.

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+kvbyNUglQLkP2Bp7QVhfp7EnRWMHVtM7xtxk34WU5s+lYksJ07/lmMpJN/bwey1SVpG0FAgL0C/+2r71XUEo=
|   256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8XNCLFSIxMNibmm+q7mFtNDYzoGAJ/vDNa6MUjfU91
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.52 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).

As we can see we have HTTP and SSH.

HTTP

I enumerate Everything from directory brute forcing, Path traversal , common apache misconfiguration , subdomains.

I also found a CVE for the apache version which is HTTP smuggling.

Rapid7Rapid7

BUT nothing was there.

UDP ports.

UDP port something i fogot to enumerate but when i did i found this.

PORT     STATE         SERVICE
161/udp  open          snmp
1812/udp open|filtered radius
1813/udp open|filtered radacct

We have SNMP open let's see what we can do with this.

Enumerate SNMP.

after some search i came across usefull tool called snmpbulkwalk. which shows use the following results.

For more information about SNMP you can refer to this.

Page not found - HackTricksbook.hacktricks.xyz

From the above image we can tell few things.

1. There is a user called steve

2. we have whats called daloradius server.

what is daloradius server.

aloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.

you can find more here.

daloRADIUSwww.daloradius.com

since we have creds we may try to login with it maybe guessing the password. But here we can find the login page. http://underpass.htb/daloradius/app/operators/login.php

after login and guessing i tried the default creds and they actually works

Default creds are
Administrator/radius

Shell As svcMosh

As you can see in the image above in the green box we have a user Let's see more.

As you can see in the image the user has a password i tried to login with this password but no luck so i was sure that this password is hashed to i used crackstation to crack it.

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.crackstation.net

svcMosh/underwaterfriends

Let's SSH.

As you can see we are able to find the user flag.

Shell as Root.

To get root shell let's see what permission we have. "sudo -l"

so we can run something called mosh-server but what is that ???.

After a while of searching mosh is a way to connect to your server remotely but it operate on top of UDP and SSH too.

Mosh: the mobile shellMosh

Going though the offical page we can find that there also a tool called mosh-client which allow us to connect to mosh-server. It also says that there is not need to run mosh-server as root meaning there is something wrong.

Going to the mosh-client in the offical page we can also see there there is a base64 HEX key been generated when we start mosh-server session we can set that as MOSH_KEY env variable as require when we tried to connect to mosh-server.

But where can we find it.

Here we can use this key as our MOSH_KEY and after that we connect using mosh-client from our machine or from the local machine it self and we will get root shell.

Conclusion

At the end this machine was so fun its an easy machine but it has a lot of new things from the initial access to the privilege escalation quite of fun an learning