{"id":515,"date":"2025-01-26T03:25:48","date_gmt":"2025-01-26T03:25:48","guid":{"rendered":"https:\/\/infosecjake.net\/?p=515"},"modified":"2025-05-28T01:32:35","modified_gmt":"2025-05-28T01:32:35","slug":"hackthebox-underpass-walkthrough","status":"publish","type":"post","link":"https:\/\/infosecjake.net\/?p=515","title":{"rendered":"HackTheBox – UnderPass Walkthrough"},"content":{"rendered":"\n

It’s been a bit since I’ve posted any walkthroughs, so here we are back with an easy machine called UnderPass.<\/p>\n\n\n\n

I use my own Kali VM to attack from and connect through VPN to the HTB network. You can do that or use one of their attack boxes. I prefer my own as I have a lot of notes, exploits, and other files saved on my personal Kali VM instance.<\/p>\n\n\n\n

After booting up my Kali VM and connecting to VPN, we’ll boot up the UnderPass machine and start scanning.<\/p>\n\n\n\n

As is standard, we’ll get an nmap scan fired off to see what network ports are open on the machine. <\/p>\n\n\n\n

\"Initial<\/figure>\n\n\n\n

Our initial nmap scan shows a webservice on port 80 and ssh open on port 22.<\/p>\n\n\n\n

We’ll add overpass.htb to our \/etc\/hosts\/ file for easy name resolution.<\/p>\n\n\n\n

\"modifying<\/figure>\n\n\n\n

Now, navigating to the website we can see there’s a default apache page.<\/p>\n\n\n\n

\"Default<\/figure>\n\n\n\n

Nothing to see there, so let’s do some directory fuzzing with ffuf. <\/p>\n\n\n\n

\"ffuf\"<\/figure>\n\n\n\n
\"results\"<\/figure>\n\n\n\n

None of these are accessible, giving me a forbidden message. So, let’s take a step back and do a different type of nmap scan. Our initial scan was using tcp, but maybe there’s something else we’re not seeing using UDP. We’ll use the -sU flag and limit it to the top 100 ports.<\/p>\n\n\n\n

\"UDP<\/figure>\n\n\n\n

We can now see there’s an snmp port open as well as radius.<\/p>\n\n\n\n

So, let’s enumerate the snmp service to see what we can find.<\/p>\n\n\n\n

First, we’ll use snmp-check with the -c Public option.<\/p>\n\n\n\n

\"oof\"<\/figure>\n\n\n\n

Oof, it would work correctly if I used correct capitalization. Quick review of the Kali doc here<\/a> shows that ‘public’ should be lowercase. Let’s try that again.<\/p>\n\n\n\n

\"snmp<\/figure>\n\n\n\n

Not a ton of information but I do see a user, maybe we can use that later? I’ll keep that noted just in case. Additionally, the hostname output says that this is the only daloradius server in the basin. I have no idea what that means, but let’s do some Googling on it.<\/p>\n\n\n\n

In the meanwhile, we’ll use snmpwalk to see if there’s anything additional that snmp-check missed.<\/p>\n\n\n\n

\"snmpwalk<\/figure>\n\n\n\n

I spent a bit of time doing some Google searching on Daloradius. I was able to find this<\/a> article on installing Daloradius that shows the default web path to the service as well as what appears to be default credentials. <\/p>\n\n\n\n

\"Daloradius<\/figure>\n\n\n\n

Trying to visit this directory results in a forbidden message. So, we know the endpoint appears to be there….somewhere…hiding. Let’s see if we can find it with ffuf. Using ffuf, I just fed it the option of underpass.htb\/daloradius\/FUZZ. <\/p>\n\n\n\n

\"more<\/figure>\n\n\n\n

We will keep iterating and through these subfolders til we find what we’re looking for. So far we know there’s \/daloradius\/app\/. Next, we find users and navigate to that on the browser. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It directs us to the users login endpoint. Let’s see if we can use the default credentials for this. I used the creds from the install guide above but that did not work.<\/p>\n\n\n\n

\"daloradius<\/figure>\n\n\n\n

Quick Google search gave me these creds. However, these still do not work.<\/p>\n\n\n\n

Ok, when in doubt, enumerate out. Let’s do some more searching, this time with dirsearch. <\/p>\n\n\n\n

\"dirsearch\"<\/figure>\n\n\n\n
\"dirsearch<\/figure>\n\n\n\n

We found that there’s another endpoint. This one called operators. Ffuf did not find this endpoint, likely due to the wordlist I used, which is a bit of a bummer. However, I’ve often found that using different tools & wordlists does seem to help if you get stuck.<\/p>\n\n\n\n

\"operators<\/figure>\n\n\n\n

Same login page but \/operators\/ endpoint instead of \/users\/. Let’s try those default credentials again.<\/p>\n\n\n\n

\"daloradius<\/figure>\n\n\n\n

We are in!<\/p>\n\n\n\n

Here, I spent a little time browsing the site and taking note of anything interesting. In the config section there is a Database Settings menu that has a username and password for their MySQLi database. I’ll note that for future use, if needed.<\/p>\n\n\n\n

Additionally, I noticed there is 1 user listed on the main page. Clicking on the user list shows us what appears to be a hashed password for that user.<\/p>\n\n\n\n

\"user<\/figure>\n\n\n\n

We can take that hash and convert it to see what the password is.<\/p>\n\n\n\n

\"md5<\/figure>\n\n\n\n

Now that we have the password, let’s try using this account & password on the ssh service.<\/p>\n\n\n\n

\"ssh<\/figure>\n\n\n\n

We now have user access to the box and the user flag is sitting in our current directory.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

User flag has been captured. Now, let’s work on privilege escalation to get the root flag.<\/p>\n\n\n\n

We’ll use our trusty linpeas script. Linpeas stands for linux privilege escalation awesome tool, if I remember correctly. It’s a super useful tool to scan the system and look for possible ways to gain root access. There is also a windows version called winpeas.<\/p>\n\n\n\n

I will host the linpeas from a local folder on my attack machine via a python simple http server and then from the victim machine I will use curl to grab and run the script.<\/p>\n\n\n\n

\"hosting<\/figure>\n\n\n\n

Above I’m running a simple http server and you can see the incoming GET request for linpeas.sh.<\/p>\n\n\n\n

\"curling<\/figure>\n\n\n\n

Here, you can see the curl request to my attack box for the linpeas script and then running it.<\/p>\n\n\n\n

\"svcMosh\"<\/figure>\n\n\n\n

After a bit of running we can see the output of a simple ‘sudo -L’ command. svcMosh account can run \/usr\/bin\/mosh-server with root privileges.<\/p>\n\n\n\n

Do I know what mosh-server is? Nope! After a bit of Google searching on what mosh-server is and how to do privilege escalation with it, I found this Medium article<\/a> super handy. By the way, did I mention how much time I spend Googling during these machines? There’s so many different tools, software, and exploits out there that Google becomes super useful.<\/p>\n\n\n\n

\"runing<\/figure>\n\n\n\n

Above, we run the mosh server and then following the article, we take the key and connect with the mosh client locally. This brings us directly in as a root user. Just as a side note, this took me SEVERAL tries to do. For some reason when I was copying the key after starting the mosh server it was not connecting. I’m not sure if it was how I was pasting or if I was accidentally copying a space. So, if it doesn’t work the first time, be very careful how you copy\/paste.<\/p>\n\n\n\n

\"root<\/figure>\n\n\n\n

Now that I have root, we can simply grab the root flag and finish this machine.<\/p>\n\n\n\n

This was a pretty interesting one! I’ve not messed with mosh server before or the daloradius. So these are two new services to me that I had a blast exploiting. I hope you enjoyed the walkthrough and I’ll see you again on the next one!<\/p>\n","protected":false},"excerpt":{"rendered":"

It’s been a bit since I’ve posted any walkthroughs, so here we are back with an easy machine called UnderPass.<\/p>\n

Continue readingHackTheBox – UnderPass Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":545,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[31],"tags":[33,42,34],"class_list":["post-515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-challenge-walkthroughs","tag-ctf","tag-hackthebox","tag-walkthrough"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/01\/underpass.png","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=515"}],"version-history":[{"count":1,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/515\/revisions"}],"predecessor-version":[{"id":546,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/515\/revisions\/546"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/media\/545"}],"wp:attachment":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}