Skip to content
Home » Hack The Box: Underpass Machine Walkthrough – Easy Difficulty

Hack The Box: Underpass Machine Walkthrough – Easy Difficulty

Reading Time: 5 minutes

Introduction to UnderPass:

This guide explores the “Underpass” machine on Hack The Box, an easy-rated Linux challenge. We will cover reconnaissance, exploitation, and privilege escalation to capture the user and root flags.

Objective Underpass:

The goal of the Underpass machine is to achieve user and root access through systematic enumeration and exploitation.

User Flag: Access the svcMosh account by enumerating SNMP to identify a Daloradius instance, log in with default credentials, retrieve an MD5-hashed password for svcMosh, crack it, and SSH into the machine. The user flag is located in the svcMosh home directory.

Root Flag: Escalate privileges using mosh-server, which can be executed with sudo without a password. This provides a session key and port to establish a root session, allowing access to the root flag in /root/root.txt.

Enumerating the Underpass Machine

Reconnaissance:

Nmap Scan (TCP):

nmap -sC -sV -oA initial 10.10.11.48

Output

┌─[dark@parrot]─[~/Documents/htb/underpass]
└──╼ $nmap -sC -sV -oA initial 10.10.11.48
# Nmap 7.94SVN scan initiated Thu May  1 06:40:30 2025 as: nmap -sC -sV -oA initial 10.10.11.48
Nmap scan report for 10.10.11.48
Host is up (0.019s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Analysis:

  • 22/TCP (SSH): If credentials are obtained, this indicates a potential entry point for remote access, likely requiring further enumeration to identify valid users or vulnerabilities.
  • 80/tcp (HTTP): Hosts an Apache web server, suggesting a web application or misconfiguration that could be exploited, warranting detailed web enumeration.

Web Enumeration on UnderPass machine:

The website shows the default Apache2 landing page.

Gobuster scan reveals no significant directories.

Access denied: You are not authorised to view this content.

UDP Scan:

nmap -sV -sC -sU -oA initial_udp -Pn 10.10.11.48

Output Highlights: 

┌─[dark@parrot]─[~/Documents/htb/underpass]
└──╼ $nmap -sV -sC -sU -oA initial_udp -Pn 10.10.11.48
# Nmap 7.94SVN scan initiated Thu May  1 06:16:22 2025 as: nmap -sV -sC -sU -oA initial_udp -Pn 10.10.11.48
Nmap scan report for 10.10.11.48
Host is up (0.038s latency).
Not shown: 997 closed udp ports (port-unreach)
PORT     STATE         SERVICE VERSION
161/udp  open          snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: c7ad5c4856d1cf6600000000
|   snmpEngineBoots: 31
|_  snmpEngineTime: 23m27s
| snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
|_  System uptime: 23m26.89s (140689 timeticks)
1812/udp open|filtered radius
1813/udp open|filtered radacct
Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Port Analysis:

  • 161/udp (SNMP): Exposes system details and the hostname UnderPass.htb, indicating potential for further enumeration to uncover network services or credentials.
  • 1812/udp (RADIUS): Likely part of the Daloradius setup, filtering suggests limited direct access, possibly requiring web-based interaction.
  • 1813/udp (radacct): Associated with RADIUS accounting, also filtered, implying a supporting role in the Daloradius infrastructure.

Exploitation

SNMP Enumeration:

Using snmp-check, we identify the hostname UnderPass.htb and a Daloradius server.

We got a domain for this machine, and found out that the Daloradius server is installed

The domain UnderPass.htb is confirmed, but the web server still displays the Apache2 default page.

daloRADIUS

daloRADIUS is a web-based management platform designed for overseeing network access services, such as Wi-Fi hotspots and ISPs. It provides functionality for user account administration, usage reporting, billing management, and location tracking. The platform integrates seamlessly with FreeRADIUS and operates using its shared database.

Three directories are found: common, operators, and users.

Daloradius Access

The /operators directory was accessed using default credentials:

  • Username: administrator
  • Password: radius

Authentication to the /users directory failed

Let’s attempt to use the credentials on the /operator endpoint

Authentication to /operators was successful, providing access to the dashboard.

Let’s review the list of users stored here.

Discover an MD5-hashed password for svcMosh.

Verify the hashing algorithm utilized.

Crack the hash to obtain the svcMosh password.

Establish an SSH connection to the machine using the svcMosh account.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Privilege Escalation

Check sudo privileges:

The mosh-server binary can be executed with sudo privileges without requiring a password.

Execute mosh-server and obtain a session key and port.

Use the key and port to establish a root session.

We can read the root flag by typing the “cat root.txt” command

Note: Re-running the same command may fail due to session issues.