Hack The Box: UnderPass
A medium-difficulty penetration test involving multi-protocol enumeration, credential discovery through exposed services, password cracking, and privilege escalation via a misconfigured sudo binary.
Category
Security Lab
Stack
Nmap
SNMP
Gobuster
Hashcat
SSH
mosh
Date
Feb 2, 2025
The Challenge
The UnderPass machine required chaining multiple enumeration techniques across TCP, UDP, and web services to uncover hidden attack paths.
Unlike simpler labs, this challenge emphasized situational awareness and the ability to pivot when initial access attempts failed, reinforcing real-world pentesting methodology.
My Approach
I began with full TCP and targeted UDP scans to build a complete picture of exposed services instead of relying on TCP enumeration alone.
When traditional web login attempts failed, I expanded the scope to include SNMP and directory brute forcing to uncover less obvious entry points.
I treated every discovered service as a potential information leak rather than assuming it required direct exploitation.
Build Process
Performed full TCP and top-100 UDP scans to identify SSH, HTTP, and SNMP services
Enumerated SNMP to extract system metadata and identify references to daloRADIUS
Brute-forced web directories to locate hidden application paths and multiple login portals
Authenticated to the daloRADIUS operators interface using default credentials
Extracted a hashed password for the svcMosh service account
Cracked the MD5 hash using Hashcat and a large password wordlist
Logged in via SSH with recovered credentials and obtained user-level access
Enumerated sudo privileges to identify a misconfigured mosh-server binary
Security Focus
This machine demonstrated how exposed management interfaces with default credentials can lead to full system compromise.
The use of MD5 hashing without salting highlighted the dangers of weak password storage practices.
Allowing passwordless sudo access to a network utility introduced a critical privilege escalation path.
The challenge reinforced the importance of service hardening, credential hygiene, and strict sudo policy enforcement.
Results
Achieved initial access by chaining SNMP enumeration, credential reuse, and password cracking.
Escalated privileges to root by abusing a misconfigured sudo rule for mosh-server.
Captured both user and root flags successfully.
Gained deeper experience in multi-stage attack chains that combine enumeration, cryptanalysis, and local privilege escalation.
Want to dig into the code?
This project is fully documented on GitHub, including notes, commits, and future ideas.