User flag Link to heading

ok, we are starting this year 2025 with everything!

Initial footprint:

n0kt.rabbit:.../infosec/htb (main) ➜ curl -I underpass.htb
HTTP/1.1 200 OK
Date: Tue, 14 Jan 2025 22:03:48 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Thu, 29 Aug 2024 01:28:15 GMT
ETag: "29af-620c8638b9276"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html

Some port scanning

n0kt.rabbit:~/Downloads  sudo nmap -n -Pn -sC -O -T4 -p- underpass.htb
Password:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-14 17:54 -04
Warning: 10.10.11.48 giving up on port because retransmission cap hit (6).
Stats: 0:09:07 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 72.63% done; ETC: 18:06 (0:03:26 remaining)
Stats: 0:09:07 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 72.70% done; ETC: 18:06 (0:03:25 remaining)
Stats: 0:09:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 72.75% done; ETC: 18:06 (0:03:25 remaining)
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.12s latency).
Not shown: 65503 closed tcp ports (reset), 30 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey:
|   256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_  256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open  http
|_http-title: Apache2 Ubuntu Default Page: It works
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 951.50 seconds

Besides TCP, I’m also doing UDP:

n0kt.rabbit:~/Downloads ➜ sudo nmap -sU -p 161,162 -sV --script "snmp*" underpass.htb
Password:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-16 15:59 -04
Nmap scan report for underpass.htb (10.10.11.48)
Host is up (0.14s latency).

PORT    STATE  SERVICE  VERSION
161/udp open   snmp     SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: c7ad5c4856d1cf6600000000
|   snmpEngineBoots: 31
|_  snmpEngineTime: 9h56m12s
| snmp-brute:
|_  public - Valid credentials
| snmp-sysdescr: Linux underpass 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
|_  System uptime: 9h56m15.30s (3577530 timeticks)
162/udp closed snmptrap
Service Info: Host: UnDerPass.htb is the only daloradius server in the basin!

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.49 seconds

Root flag Link to heading

TODOs Link to heading