Time to user.txt: ~45 minutes Time to root.txt: ~55 minutes

Reconnaissance

• Identified open ports: 22 (SSH), 80 (HTTP), 161 (SNMP).
• Used snmpwalk on the public community string to extract system information. Discovered UnDerPass.htb indicating a daloradius instance.
• Verified HTTP path /daloradius/ directly from the hint in the SNMP response.
• Directory brute-force tools (Gobuster, ffuf) ran into 403 Forbidden for many standard paths, but login.php under /daloradius/app/operators/ was available.

Foothold

• Used default credentials administrator:radius to log into the daloRADIUS operator portal.
• Navigated the panel and found a user svcMosh with MD5 password hash underwaterfriends.
• Logged in via SSH: svcMosh:underwaterfriends.
• Captured user.txt.

Privilege Escalation

• Ran sudo -l to find that the svcMosh user can run sudo /usr/bin/mosh-server new without a password.
• mosh-server executes the command with the privileges of the user invoking it (root).
• Used mosh-server new -c 256 -- /bin/sh -c "cp /root/root.txt /tmp/root.txt && chmod 666 /tmp/root.txt" natively on the target host via SSH to have mosh-server spawn as root, execute the copy payload when a mosh client connects.
• Triggered execution by running mosh-client on the target system to grab the flag safely.
• Captured root.txt.

Lessons Learned

• Always check SNMP if available, as the sysDescr object often leaks valuable context like hostnames or installed appliance software.
• Default credentials on known appliances (like daloRADIUS) are common footholds.
• Sudo access to commands that can spawn shells or execute arbitrary commands (like mosh-server) effectively means full root access.