HTB: Underpass - OSCP Prep Write-up
HTTP gave nothing. The real entry point was hiding on UDP - a reminder that TCP-only scans miss half the attack surface. Machine info Name Underpass Platform HackTheBox OS Linux Difficulty Easy TL;DR UDP scan reveals SNMP and RADIUS; SNMP walk with the public community string leaks hostname and username daloRADIUS web interface accessible with default credentials (administrator:radius) User svcMosh has an MD5 password hash in the RADIUS database - John cracks it SSH as svcMosh, sudo -l shows mosh-server without a password - run it as root and connect with mosh-client to get a root shell Recon Nmap TCP 1 nmap -sV -sC -Pn -A 10.129.231.213 ...