Hack The Box
UnderPass
Summary
UnderPass is an Easy Linux machine where the web server only serves a default
Apache page. UDP enumeration reveals SNMP, which leaks references to a
daloRADIUS deployment. The panel is accessible with default credentials,
exposing a user hash that is cracked for SSH access as svcMosh. A sudo rule
allowing mosh-server is then abused to obtain a root shell.
Machine Information
| Name | Difficulty | OS | Platform |
|---|---|---|---|
| UnderPass | Easy | Linux | Hack The Box |
Attack Path
- Nmap reveals SSH and HTTP services.
- The web server only shows the default Apache page.
- UDP enumeration discovers an SNMP service.
- SNMP leaks information about daloRADIUS.
- The daloRADIUS panel is accessed with default credentials.
- A password hash is extracted and cracked.
- SSH access is obtained as
svcMosh. - A sudo rule allows running
mosh-server. - The Mosh session is abused to obtain a root shell.
Reconnaissance
Initial enumeration was performed with Nmap.
nmap -sC -sV -A 10.10.11.48
| Port | Service |
|---|---|
| 22 | SSH |
| 80 | HTTP (Apache) |
Web Enumeration
The web server only returned the default Apache page, so enumeration moved to other protocols.
SNMP Enumeration
A UDP scan revealed that SNMP was running, and snmpwalk returned useful
information, including references to daloRADIUS.
snmpwalk -v2c -c public 10.10.11.48
This indicated that a RADIUS management interface might be reachable on the web server.
Accessing daloRADIUS
The operator login was located at:
/daloradius/app/operators/login.php
The panel accepted default credentials:
administrator : radius
Credential Discovery
Inside the dashboard, a user account and password hash were found.
The hash was cracked, revealing system credentials:
svcMosh : underwaterfriends
Initial Access
The recovered credentials were reused to authenticate over SSH as svcMosh.
ssh svcMosh@10.10.11.48
This provided the initial foothold on the system.
Privilege Escalation
Enumeration
sudo -l showed the user could run mosh-server as root without a password.
(ALL) NOPASSWD: /usr/bin/mosh-server
Abusing mosh-server
Starting the server with sudo produced a MOSH key and port. Connecting to that session yielded an interactive shell running as root.
sudo /usr/bin/mosh-server new
Flags
User
cat /home/svcMosh/user.txt
318e3379c1865605a000a4c6fa5ad3d4
Root
cat /root/root.txt
fa23ecddd243c7ba0f1794f408f61a0b
Vulnerabilities Identified
SNMP Information Disclosure
- Public SNMP access exposed internal configuration details.
Impact: disclosure of service details and discovery of the daloRADIUS deployment.
Default Credentials
- The daloRADIUS panel accepted default credentials.
Impact: unauthorized access to system configuration and credential disclosure.
Privilege Escalation — mosh-server (sudo)
svcMoshcould runmosh-serveras root via sudo, which was abused for a root shell.
Impact: full privilege escalation to root.
Tools Used
- Nmap
- snmpwalk
- SSH
- Hash cracking tools
- Mosh
Key Takeaways
- UDP enumeration can reveal services missed by a TCP-only scan.
- SNMP frequently leaks sensitive system information.
- Default credentials remain a common, high-impact issue.
- Misconfigured sudo rules are a reliable privilege escalation vector.