UnderPass
Nmap scanned the target IP and found ports 22 and 80 open.
Access Port 80.
Go back and check again, then start a UDP scan and find port 161.
enumerating with NSE
enumerating using snmpbulkwalk.
retrieve a subtree of management values using SNMP GETBULK requests
https://linux.die.net/man/1/snmpbulkwalk
https://github.com/lirantal/daloradius
STRINGS steve@underpass.htb and UnDerPass.htb refer to a single daloradius server. After researching daloradius servers on Google, we discovered that we can log in via http://underpass.htb/daloradius/app/operators/login.php using the default credentials:
Username: administrator
Password: radius
Successfully logged in.
It was found that there is already a list of users, and we discovered an MD5 hashed password and usernames.
Then, we can use the username along with the decrypted password to connect via SSH.
Privilege Escalation:
The first thing we check when attempting privilege escalation is sudo -l:
When encountering a new command or service for the first time, reading the manual is always a good practice:
Descriptionmosh-server is a helper program for the remote terminal application mosh(1).
mosh-server connects on a high UDP port and selects an encryption key to secure the session. The program outputs both the port and key information to standard output, detaches from the terminal, and waits for a mosh client to establish a connection. The program will terminate if no client connects within 60 seconds.
mosh-serverReading examples can help guide you.
Add the mosh-server command by specifying port 61113, obtain the MOSH_KEY, and then run mosh_client with localhost and the port we added.
Root shell!
