🛣️UnderPass

Starting with some scanning

image.png

A bit more UDP scan

something interesting

SnmpWalk to extract some useful hints

Daloradius? what's that?

The documentation points at URLs like <BASEURL>/daloradius/<something> let's fuzz!

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt https://underpass.htb/daloradius/FUZZ

We found /app and fuzzed again for the next folders, and found:

app/users → login page

app/operators → another login page

The documentation also mentioned default creds: adminstrator:radius

found the hashed pw, throw it in crackstation and get the actual pass

So now we have the user (svcMosh) and it's password, time to SSH and get the user flag!

Now, start scouting for some privesc

what's a mosh-server?!

OK, now that we know, let's try and use it...

it seems to have created a server as root, let's try and connecto to it with mosh-client

Nice. Get the flag and we're done!

Last updated