HTTP gave nothing. The real entry point was hiding on UDP - a reminder that TCP-only scans miss half the attack surface.

Machine info

NameUnderpass
PlatformHackTheBox
OSLinux
DifficultyEasy

TL;DR

  • UDP scan reveals SNMP and RADIUS; SNMP walk with the public community string leaks hostname and username
  • daloRADIUS web interface accessible with default credentials (administrator:radius)
  • User svcMosh has an MD5 password hash in the RADIUS database - John cracks it
  • SSH as svcMosh, sudo -l shows mosh-server without a password - run it as root and connect with mosh-client to get a root shell

Recon

Nmap TCP

1

nmap -sV -sC -Pn -A 10.129.231.213

Nmap TCP results

Ports 22 (SSH) and 80 (HTTP). Apache 2.4.52. The web page is the default Apache placeholder - nothing on TCP to work with.

UDP scan

1

nmap -sU 10.129.231.213 --top-ports=100

UDP scan showing SNMP and RADIUS ports

Port 161/UDP (SNMP) is open alongside RADIUS ports (1812, 1813). Worth enumerating.

Enumeration

SNMP - leaking hostname and username

1
2

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.129.231.213
snmpwalk -c public -v1 10.129.231.213

SNMP community scan and walk output

The public community string works. The walk returns the system description (Linux underpass) and a contact field: steve@underpass.htb. Add underpass.htb to /etc/hosts.

daloRADIUS - default credentials

daloRADIUS is a web management application for FreeRADIUS servers, providing a browser-based interface to manage users, NAS devices, billing, and reporting. Searching for its default login path reveals it sits at /daloradius/app/operators/login.php. Default credentials administrator:radius work straight away:

daloRADIUS dashboard after login

Database credentials and user hash

Under Config -> Database Settings:

Database settings page

DB user steve, password testing123 - noted. More useful right now: under Management -> Users, there is a user svcMosh whose password field holds a raw MD5 hash:

svcMosh user with MD5 hash

Hash: 412DD4759978ACFCC81DEAB01B382403

Cracking the hash

1

john hash --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt

John cracking the MD5 hash to underwaterfriends

Cracked: underwaterfriends.

Foothold

SSH as svcMosh

1

ssh svcMosh@underpass.htb

SSH login as svcMosh

Privilege Escalation

GTFOBins: mosh-server

1

sudo -l

sudo -l showing mosh-server without password

svcMosh can run /usr/bin/mosh-server as root without a password. Mosh (mobile shell) is a UDP-based replacement for SSH designed to handle roaming and intermittent connectivity. The server component starts a session, prints a connection key and port, then detaches. Critically - it executes as whatever user invoked it.

Running it as root:

sudo mosh-server output with MOSH_KEY and port

1

sudo mosh-server

The server prints MOSH CONNECT 60001 <KEY> and detaches. Take that key and connect from the attacker machine:

mosh-client connecting with MOSH_KEY

1

MOSH_KEY=3TmXE+cnsyvbHeBliolucg mosh-client 10.129.231.213 60001

Root shell reading root.txt

Root shell.

Takeaways (for OSCP)

  • Always run a UDP scan. SNMP (161), TFTP (69), and RADIUS (1812) live on UDP and are invisible to TCP-only scans. On OSCP machines, UDP findings are often the intended entry point.
  • SNMP with the public community string is still common. A walk can leak hostnames, usernames, software versions, and running processes - treat it like free enumeration.
  • Default credentials on internal management tools are almost guaranteed. daloRADIUS, phpMyAdmin, Grafana, Nagios - check the docs for defaults before anything else.
  • Niche sudo binaries are still covered by GTFOBins. mosh-server is not an obvious privesc tool, but anything that can run as root and spawns a shell is exploitable.

References